cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon dependabot

Feature request: CLI “audit” mode to print all vulnerabilities (direct + transitive) for a given branch/commit, without creating PRs

Open shuangyAA opened this issue 6 months ago • 0 comments

Summary

We use dependabot/cli to scan feature branches in CI. The CLI currently outputs only what it can update (typically direct deps or cases fixable via lockfile), which means we don’t get a full list of vulnerabilities affecting transitive dependencies.
Our use case needs a printable report (stdout/JSON) of all vulnerable dependencies (direct + transitive) for the current branch/commit without opening PRs.

Problem

  • dependabot/cli update focuses on “what can be updated” (PR semantics).
  • Vulnerabilities in transitive deps often do not surface in the CLI output if the fix requires indirect changes.
  • For feature branch scanning, we need a way to just list all known vulns for the current ref (branch/commit), so CI can log them or gate the build.
  • We want to stay 100% within Dependabot/GitHub (no third-party scanners).

Why existing options are not enough

  • CLI “security-only” requires pre-knowing dependency names/advisories, which is circular for discovery.
  • Dependabot Alerts are great, but today they are not easily consumable per-branch from the CLI, and teams need a single CLI step that works in ephemeral feature branches.
  • We don’t want to open PRs from CI; we only need results printed.

Requested feature

Add a CLI capability (new subcommand or flag) to audit the current project at a given ref and print all vulnerabilities (direct + transitive):

Option A: new subcommand

dependabot audit --ecosystem <eco> --ref <sha|branch> --format json

Prints a machine-readable list of all known vulnerable dependencies for that ref.

Option B: extend update

dependabot update <ecosystem> ... --report-all-vulns --no-pr --format json

Runs the resolution logic for the current manifest/lockfiles and emits a full vulnerability report even for items it cannot directly fix.

Option C: alerts bridge

dependabot alerts --ref <sha|branch> [--format json]

Let the CLI fetch the set of Dependabot alerts relevant to the specified ref/commit (leveraging dependency submission under the hood if needed) and print them.

shuangyAA avatar Aug 08 '25 17:08 shuangyAA