README
¶
Deputy
Deputy enables dependency management at scale.
[!WARNING] This is an early, experimental project. Things will change, and some edges are sharp. If you try it, please share feedback in issues.
- Inventory dependencies across ecosystems, bring your own plugins for custom sources.
- Scan dependencies using vulnerability sources like OSV to produce actionable findings.
- Generate SBOMs (CycloneDX / SPDX via Protobom) for supply chain visibility.
- Diff dependency changes between Git refs, helping code reviews and audits.
- Triage and prioritize findings with optional agent assistance.
- Create remediation plans and optionally apply them automatically.
- Enforce policies in CI and at download-time via a package proxy.
Deputy aims to provide core dependency management primitives along with a unified toolchain, so you can focus on what matters: your code and policies that protect it. The tool is designed for extensibility, performance, and usability at scale; whether you’re an individual developer, a security team, or an enterprise organization. The goal is to empower you to manage dependencies effectively, reduce risk, and maintain a secure software supply chain with minimal friction.
Supported Targets
- Local and remote Git repositories
- Local directories
- Container images (remote registries, local Docker daemon, tarballs)
- SBOM files (CycloneDX / SPDX / Protobom)
- PURLs (Package URLs) for single-package queries
- Dockerfiles (static analysis)
Supported Ecosystems
Deputy scans dependencies across 15 ecosystems via OSV-SCALIBR and custom extractors:
| Ecosystem | Scan | Proxy | Lockfiles / Manifests |
|---|---|---|---|
| Go | ✓ | ✓ | go.mod, go.sum, Go binaries |
| npm | ✓ | ✓ | package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock |
| PyPI | ✓ | ✓ | requirements.txt, Pipfile.lock, poetry.lock, uv.lock, pdm.lock, setup.py, Conda environments |
| RubyGems | ✓ | ✓ | Gemfile.lock, gems.locked, *.gemspec |
| Maven | ✓ | — | pom.xml, gradle.lockfile, JAR/WAR/EAR archives |
| Cargo | ✓ | — | Cargo.lock, Cargo.toml, Rust binaries |
| NuGet | ✓ | — | packages.lock.json, packages.config, *.deps.json |
| Hex | ✓ | — | mix.lock |
| Pub | ✓ | — | pubspec.lock |
| CocoaPods | ✓ | — | Podfile.lock, Package.resolved |
| Packagist | ✓ | — | composer.lock |
| GitHub Actions | ✓ | — | .github/workflows/*.yml |
| Haskell | ✓ | — | cabal.project.freeze, stack.yaml.lock |
| R | ✓ | — | renv.lock |
| C++ | ✓ | — | conan.lock |
Proxy support is available for Go, npm, PyPI, and RubyGems—ecosystems with standardized registry protocols for download-time policy enforcement
Documentation
- Start here: Documentation index
- Getting started: Getting started
- Concepts: Concepts
- Commands: Command reference
- Guides: Guides
- Reference (config/logging): Reference
Quick start
# Diff dependency changes at HEAD in the current repo
$ deputy
# Scan the current repo at HEAD
$ deputy scan
# Turn findings into a remediation plan (and optionally apply it)
$ deputy fix
$ deputy fix --apply .
# Verify dependency changes between refs (default behavior when running `deputy` inside a repo)
$ deputy diff main WORKING
# Generate an SBOM
$ deputy sbom --format spdx-json --output sbom.spdx.json
GitHub Actions
Deputy provides composable GitHub Actions for CI/CD integration. Scan results upload to GitHub's Security > Code scanning alerts tab via SARIF.
name: Security Scan
on: [push, pull_request]
permissions:
security-events: write # Required for SARIF upload
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: picatz/deputy/actions/setup@main
- uses: picatz/deputy/actions/scan@main
with:
upload-sarif: true
policy: policy/ci/security-gate.yaml # Optional: enforce policies
| Action | Purpose |
|---|---|
setup |
Install Deputy CLI (required first) |
scan |
Vulnerability scanning + SARIF upload |
sbom |
SBOM generation (CycloneDX/SPDX) |
diff |
Dependency change analysis for PRs |
proxy |
Block vulnerable packages at install time |
Starter CI policies (policy/ci/) — review and customize for your needs:
security-gate.yaml— Block critical vulns; block high when fixes existpr-review.yaml— Stricter checks for new dependencies in PRsrelease-gate.yaml— Production release requirements
Reusable workflows for standardized security across repos:
scan.yml— Basic vulnerability scanningpr-gate.yml— PR security enforcement with diffrelease-sbom.yml— SBOM generation on release
See the GitHub Actions Guide for workflow recipes, permissions reference, and advanced patterns.
Installation
Go install
$ go install github.com/picatz/deputy@latest
Pin a specific version for reproducibility: go install github.com/picatz/deputy@vX.Y.Z
Build from source
$ git clone https://github.com/picatz/deputy.git
$ cd deputy
$ go build -o deputy .
$ ./deputy --version
How Deputy fits together
flowchart LR
subgraph Input
Target[(Repo / Dir / SBOM)]
end
subgraph Core
Inv[Inventory]
end
subgraph Commands
Scan[scan]
SBOM[sbom]
Fix[fix]
Triage[triage]
Diff[diff]
Proxy[proxy]
end
subgraph Policies
Policy[CEL policies]
end
Target --> Inv
Inv --> Scan
Inv --> SBOM
Inv --> Diff
Scan --> Fix
Scan --> Triage
Policy -.-> Scan
Policy -.-> SBOM
Policy -.-> Fix
Policy -.-> Triage
Policy -.-> Proxy
classDef source fill:#e3f2fd,stroke:#1565c0
classDef process fill:#e8f5e9,stroke:#2e7d32
classDef control fill:#fff3e0,stroke:#e65100
class Target source
class Inv,Scan,SBOM,Fix,Triage,Diff,Proxy process
class Policy control
Legend: Dashed lines indicate policy enforcement paths.
Commands
| Command | What it’s for | Docs |
|---|---|---|
scan |
Find known vulnerabilities via OSV (repos/dirs/SBOMs) | Reference |
fix |
Turn findings into upgrade commands / a plan (optionally apply) | Reference |
triage |
Summarize and prioritize findings (optional agent help) | Reference |
diff |
Compare dependency changes between Git refs | Reference |
sbom |
Emit CycloneDX/SPDX SBOMs at any Git ref | Reference |
list |
Dump normalized PURLs for quick auditing/scripting | Reference |
policy |
Lint/test/eval/bundle policies; authoring tools (LSP) | Reference |
proxy |
Policy-enforcing package proxy (Go/npm/PyPI/RubyGems) | Reference |
Policies and enforcement
Deputy’s core design idea is: write policies once and reuse them everywhere (scan, diff, sbom, fix, triage, and proxy).
# Lint policies before enforcement
$ deputy policy lint policy/examples/*.yaml
# Enforce a policy during scanning
$ deputy scan --policy policy/examples/severity-guardrail.yaml
Proxy (prevent risky dependencies)
If you want preventive controls (not just reactive scanning), run Deputy as a proxy and enforce policies at download time.
$ deputy proxy template > proxy.yaml
$ deputy proxy serve --config proxy.yaml
Configuration
Contributing
See the contributing guide.
License
MIT. See the LICENSE.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
examples
|
|
|
plugins/dotenv-extractor
command
Example Deputy extractor plugin that discovers .env files and reports them.
|
Example Deputy extractor plugin that discovers .env files and reports them. |
|
gen
|
|
|
internal
|
|
|
agent
Package agent provides the agent plugin system for Deputy.
|
Package agent provides the agent plugin system for Deputy. |
|
ai
Package ai provides AI/LLM capabilities for Deputy.
|
Package ai provides AI/LLM capabilities for Deputy. |
|
ai/providers/claude
Package claude provides an AI provider implementation using Anthropic's Claude CLI.
|
Package claude provides an AI provider implementation using Anthropic's Claude CLI. |
|
ai/providers/codex
Package codex provides an AI provider implementation using OpenAI's Codex CLI.
|
Package codex provides an AI provider implementation using OpenAI's Codex CLI. |
|
ai/render
Package render provides consistent rendering utilities for agent output.
|
Package render provides consistent rendering utilities for agent output. |
|
analysis
Package analysis provides OSV vulnerability database integration for Deputy.
|
Package analysis provides OSV vulnerability database integration for Deputy. |
|
analysis/osv
Package osv provides OSV integration and conversion into Deputy's vulnerability domain types.
|
Package osv provides OSV integration and conversion into Deputy's vulnerability domain types. |
|
auth
Package auth provides unified credential management for Deputy.
|
Package auth provides unified credential management for Deputy. |
|
auth/jwt
Package jwt provides reusable JWT authentication middleware for HTTP services.
|
Package jwt provides reusable JWT authentication middleware for HTTP services. |
|
cache
Package cache provides caching primitives for Deputy.
|
Package cache provides caching primitives for Deputy. |
|
cache/disk
Package disk provides persistent JSON-on-disk caching with TTL support.
|
Package disk provides persistent JSON-on-disk caching with TTL support. |
|
cache/lockfile
Package lockfile provides content-hash based caching for parsed lockfile data.
|
Package lockfile provides content-hash based caching for parsed lockfile data. |
|
cache/memory
Package memory provides in-memory caching with bounded size and TTL expiration.
|
Package memory provides in-memory caching with bounded size and TTL expiration. |
|
cache/sources
Package sources provides cache.Source implementations for Deputy's data sources.
|
Package sources provides cache.Source implementations for Deputy's data sources. |
|
cli
Package cli wires together the root Cobra command, its subcommands, and shared runtime concerns (logging, contextual execution) for the deputy tool.
|
Package cli wires together the root Cobra command, its subcommands, and shared runtime concerns (logging, contextual execution) for the deputy tool. |
|
cli/cmd
Package cmd implements Deputy's CLI commands using the Cobra framework.
|
Package cmd implements Deputy's CLI commands using the Cobra framework. |
|
cli/flags
Package flags provides shared parsing helpers for CLI flags.
|
Package flags provides shared parsing helpers for CLI flags. |
|
collections
Package collections provides generic collection utilities for Deputy.
|
Package collections provides generic collection utilities for Deputy. |
|
compare
Package compare provides routines for normalizing Go module/package import paths and computing semantic changes between two package inventories.
|
Package compare provides routines for normalizing Go module/package import paths and computing semantic changes between two package inventories. |
|
config
Package config provides unified configuration management for Deputy.
|
Package config provides unified configuration management for Deputy. |
|
container
Package container provides container-related functionality for Deputy.
|
Package container provides container-related functionality for Deputy. |
|
container/image
Package image provides container image configuration and metadata types.
|
Package image provides container image configuration and metadata types. |
|
demo
Package demo provides demonstration functionality for supply chain security scanning.
|
Package demo provides demonstration functionality for supply chain security scanning. |
|
demo/github-org-inventory
command
|
|
|
dependency
Package dependency provides types for identifying dependencies and their locations.
|
Package dependency provides types for identifying dependencies and their locations. |
|
dependency/graph
Package graph provides dependency graph construction, analysis, and visualization.
|
Package graph provides dependency graph construction, analysis, and visualization. |
|
dockerfile
Package dockerfile provides Dockerfile parsing and static analysis for policy evaluation.
|
Package dockerfile provides Dockerfile parsing and static analysis for policy evaluation. |
|
ecosystem
Package ecosystem provides types and utilities for working with package ecosystems.
|
Package ecosystem provides types and utilities for working with package ecosystems. |
|
errors
Package errors provides domain-specific error types for Deputy.
|
Package errors provides domain-specific error types for Deputy. |
|
explain
Package explain provides comprehensive vulnerability explanation and analysis.
|
Package explain provides comprehensive vulnerability explanation and analysis. |
|
filtering
Package filtering provides filter functions for scan results.
|
Package filtering provides filter functions for scan results. |
|
gitutil
Package git contains enhanced Git reference resolution and diff utilities built on top of go-git.
|
Package git contains enhanced Git reference resolution and diff utilities built on top of go-git. |
|
httputil
Package httputil provides shared HTTP client creation and configuration.
|
Package httputil provides shared HTTP client creation and configuration. |
|
ignore
Package ignore provides vulnerability suppression rules for Deputy scans.
|
Package ignore provides vulnerability suppression rules for Deputy scans. |
|
inputs
Package inputs provides utilities for converting extracted packages into OSV query inputs with manifest metadata enrichment.
|
Package inputs provides utilities for converting extracted packages into OSV query inputs with manifest metadata enrichment. |
|
inventory
Package inventory extracts a dependency inventory (package list) from either the current working tree or a historical commit snapshot.
|
Package inventory extracts a dependency inventory (package list) from either the current working tree or a historical commit snapshot. |
|
inventory/manifests
Package manifests provides helpers for associating files with package managers and manifest paths.
|
Package manifests provides helpers for associating files with package managers and manifest paths. |
|
inventory/plugin
Package plugin provides a client for invoking extractor plugins.
|
Package plugin provides a client for invoking extractor plugins. |
|
inventory/plugins/docker/dockerfilex
Package dockerfilex extracts container base image dependencies from Dockerfiles.
|
Package dockerfilex extracts container base image dependencies from Dockerfiles. |
|
inventory/plugins/github/actionsx
Package actionsx extracts GitHub Actions dependencies from workflow and action manifests.
|
Package actionsx extracts GitHub Actions dependencies from workflow and action manifests. |
|
inventory/plugins/java/gradlex
Package gradlex provides Gradle dependency extractors for Deputy.
|
Package gradlex provides Gradle dependency extractors for Deputy. |
|
inventory/registry
Package registry provides a thread-safe registry for extractor plugins.
|
Package registry provides a thread-safe registry for extractor plugins. |
|
license
Package license provides license lookup and enrichment helpers for Deputy.
|
Package license provides license lookup and enrichment helpers for Deputy. |
|
logs
Package logs provides structured logging utilities for Deputy.
|
Package logs provides structured logging utilities for Deputy. |
|
mcp
Package mcp provides a Model Context Protocol server for Deputy.
|
Package mcp provides a Model Context Protocol server for Deputy. |
|
network
Package network provides secure networking primitives for Deputy.
|
Package network provides secure networking primitives for Deputy. |
|
options
Package options provides a common validation pattern for configuration types.
|
Package options provides a common validation pattern for configuration types. |
|
otel
Package otel provides OpenTelemetry instrumentation for Deputy.
|
Package otel provides OpenTelemetry instrumentation for Deputy. |
|
output
Package output provides a style-aware document model for CLI output rendering.
|
Package output provides a style-aware document model for CLI output rendering. |
|
policy
Package policy provides the CEL-based policy evaluation engine for Deputy.
|
Package policy provides the CEL-based policy evaluation engine for Deputy. |
|
policy/celconv
Package celconv provides type conversion utilities for CEL (Common Expression Language).
|
Package celconv provides type conversion utilities for CEL (Common Expression Language). |
|
policy/lsp
Package lsp implements a lightweight, high-performance Language Server Protocol (LSP) server tailored for Deputy policy bundles.
|
Package lsp implements a lightweight, high-performance Language Server Protocol (LSP) server tailored for Deputy policy bundles. |
|
proto
Package proto provides bidirectional conversion between Deputy's internal domain types and their protobuf representations.
|
Package proto provides bidirectional conversion between Deputy's internal domain types and their protobuf representations. |
|
proxy
Package proxy implements a multi-ecosystem dependency proxy server.
|
Package proxy implements a multi-ecosystem dependency proxy server. |
|
purlx
Package purlx provides Deputy-specific helpers for working with PURLs.
|
Package purlx provides Deputy-specific helpers for working with PURLs. |
|
remediation
Package remediation generates actionable steps to resolve security vulnerabilities.
|
Package remediation generates actionable steps to resolve security vulnerabilities. |
|
report
Package report provides helpers for assembling display- or export-ready views of Deputy data without tying them to CLI rendering details.
|
Package report provides helpers for assembling display- or export-ready views of Deputy data without tying them to CLI rendering details. |
|
report/render
Package render contains CLI-friendly render helpers for report outputs.
|
Package render contains CLI-friendly render helpers for report outputs. |
|
repository
Package repository coordinates go-git repositories with Deputy workspaces.
|
Package repository coordinates go-git repositories with Deputy workspaces. |
|
repository/workspace
Package workspace provides a safe abstraction over on-disk and in-memory filesystems that Deputy scans.
|
Package workspace provides a safe abstraction over on-disk and in-memory filesystems that Deputy scans. |
|
sandbox
Package sandbox provides isolated execution environments for Deputy.
|
Package sandbox provides isolated execution environments for Deputy. |
|
sandbox/runtimes/docker
Package docker provides a Docker container sandbox runtime.
|
Package docker provides a Docker container sandbox runtime. |
|
sandbox/runtimes/gvisor
Package gvisor provides a gVisor sandbox runtime for stronger isolation.
|
Package gvisor provides a gVisor sandbox runtime for stronger isolation. |
|
sandbox/runtimes/none
Package none provides a no-op sandbox runtime for trusted execution.
|
Package none provides a no-op sandbox runtime for trusted execution. |
|
sandbox/runtimes/plugin
Package plugin provides an external sandbox runtime implemented by plugins.
|
Package plugin provides an external sandbox runtime implemented by plugins. |
|
sandbox/runtimes/sandboxexec
Package sandboxexec provides a macOS sandbox-exec runtime.
|
Package sandboxexec provides a macOS sandbox-exec runtime. |
|
sandbox/sandboxtest
Package sandboxtest provides utilities for testing sandbox runtime plugins in-memory without spawning external processes or using network sockets.
|
Package sandboxtest provides utilities for testing sandbox runtime plugins in-memory without spawning external processes or using network sockets. |
|
sandbox/workspace
Package workspace provides Docker-specific workspace isolation.
|
Package workspace provides Docker-specific workspace isolation. |
|
sarif
Package sarif provides SARIF output format support for Deputy scan results.
|
Package sarif provides SARIF output format support for Deputy scan results. |
|
sbom
Package sbomx generates Software Bills of Materials (SBOM) for local or remote repositories and can optionally enrich component nodes with license metadata.
|
Package sbomx generates Software Bills of Materials (SBOM) for local or remote repositories and can optionally enrich component nodes with license metadata. |
|
sbom/diff
Package diff provides SBOM comparison and change detection.
|
Package diff provides SBOM comparison and change detection. |
|
sbom/vex
Package vex provides Vulnerability Exploitability eXchange (VEX) document generation.
|
Package vex provides Vulnerability Exploitability eXchange (VEX) document generation. |
|
scanning
Package scanning provides scan orchestration for vulnerability analysis.
|
Package scanning provides scan orchestration for vulnerability analysis. |
|
secrets
Package secrets provides secret detection and scanning capabilities.
|
Package secrets provides secret detection and scanning capabilities. |
|
security
Package security provides shared security utilities for container analysis.
|
Package security provides shared security utilities for container analysis. |
|
server
Package server provides the Deputy gRPC/Connect server implementation.
|
Package server provides the Deputy gRPC/Connect server implementation. |
|
services
Package services provides the unified service layer for Deputy.
|
Package services provides the unified service layer for Deputy. |
|
targets
Package targets defines abstractions for heterogeneous scan targets (e.g.
|
Package targets defines abstractions for heterogeneous scan targets (e.g. |
|
ui
Package ui centralizes terminal presentation styles (colors, emphasis) so that higher level reporting code can remain logic‑focused and stylistically consistent.
|
Package ui centralizes terminal presentation styles (colors, emphasis) so that higher level reporting code can remain logic‑focused and stylistically consistent. |
|
ui/repl
Package repl provides a world-class interactive REPL for CEL policy evaluation.
|
Package repl provides a world-class interactive REPL for CEL policy evaluation. |
|
version
Package version provides build-time version information for Deputy.
|
Package version provides build-time version information for Deputy. |
|
vmimage
Package vmimage provides abstractions for reading virtual machine disk images and their filesystems without requiring root privileges or kernel mounts.
|
Package vmimage provides abstractions for reading virtual machine disk images and their filesystems without requiring root privileges or kernel mounts. |
|
vmimage/fsys
Package fsys provides filesystem implementations for virtual machine disk images.
|
Package fsys provides filesystem implementations for virtual machine disk images. |
|
vulnerability
Package vulnerability provides core domain types for vulnerability identification and classification.
|
Package vulnerability provides core domain types for vulnerability identification and classification. |
|
vulnerability/affected
Package affected provides affected product identification for vulnerabilities.
|
Package affected provides affected product identification for vulnerabilities. |
|
vulnerability/affected/cpe
Package cpe provides CPE (Common Platform Enumeration) identifier handling.
|
Package cpe provides CPE (Common Platform Enumeration) identifier handling. |
|
vulnerability/id
Package id provides vulnerability identifier parsing and validation.
|
Package id provides vulnerability identifier parsing and validation. |
|
vulnerability/id/cve
Package cve provides CVE (Common Vulnerabilities and Exposures) identifier handling.
|
Package cve provides CVE (Common Vulnerabilities and Exposures) identifier handling. |
|
vulnerability/intel
Package intel provides threat intelligence enrichment for vulnerabilities.
|
Package intel provides threat intelligence enrichment for vulnerabilities. |
|
vulnerability/intel/epss
Package epss provides a client for FIRST's Exploit Prediction Scoring System.
|
Package epss provides a client for FIRST's Exploit Prediction Scoring System. |
|
vulnerability/intel/kev
Package kev provides a client for the CISA Known Exploited Vulnerabilities catalog.
|
Package kev provides a client for the CISA Known Exploited Vulnerabilities catalog. |
|
vulnerability/severity
Package severity provides vulnerability severity classification and normalization.
|
Package severity provides vulnerability severity classification and normalization. |
|
vulnerability/severity/cvss
Package cvss provides CVSS (Common Vulnerability Scoring System) parsing and scoring.
|
Package cvss provides CVSS (Common Vulnerability Scoring System) parsing and scoring. |
|
vulnerability/ssvc
Package ssvc implements Stakeholder-Specific Vulnerability Categorization.
|
Package ssvc implements Stakeholder-Specific Vulnerability Categorization. |
|
vulnerability/suppression
Package suppression provides vulnerability suppression via VEX documents.
|
Package suppression provides vulnerability suppression via VEX documents. |
|
vulnerability/weakness
Package weakness provides weakness classification for vulnerabilities.
|
Package weakness provides weakness classification for vulnerabilities. |
|
vulnerability/weakness/cwe
Package cwe provides CWE (Common Weakness Enumeration) identifier handling.
|
Package cwe provides CWE (Common Weakness Enumeration) identifier handling. |
|
plugins
|
|
|
gradle-sandbox
command
deputy-extractor-gradle-sandbox is an external plugin that extracts Maven dependencies by running Gradle in a Docker container.
|
deputy-extractor-gradle-sandbox is an external plugin that extracts Maven dependencies by running Gradle in a Docker container. |
|
Package sdk provides a simple Go SDK for the Deputy vulnerability scanner.
|
Package sdk provides a simple Go SDK for the Deputy vulnerability scanner. |
|
plugin
Package plugin provides a simple SDK for building Deputy extractor plugins.
|
Package plugin provides a simple SDK for building Deputy extractor plugins. |
Click to show internal directories.
Click to hide internal directories.