depguard

# DepGuard — Dependency Audit & License Compliance

DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.

## Commands

### Free Tier (No license required)

#### `depguard scan [directory]`
One-shot vulnerability and license scan of your project dependencies.

**How to execute:**
```bash
bash "<SKILL_DIR>/scripts/depguard.sh" scan [directory]
```

**What it does:**
1. Detects package manager (npm, yarn, pnpm, pip, cargo, go, composer, bundler, maven, gradle)
2. Runs native audit commands (npm audit, pip-audit, cargo audit, etc.)
3. Parses dependency manifests for license information
4. Generates a security report with severity levels
5. Lists packages with problematic or unknown licenses

**Example usage scenarios:**
- "Scan my dependencies for vulnerabilities" → runs `depguard scan .`
- "Check the licenses of my node modules" → runs `depguard scan . --licenses-only`
- "Are any of my packages insecure?" → runs `depguard scan`

#### `depguard report [directory]`
Generate a formatted dependency health report in markdown.

```bash
bash "<SKILL_DIR>/scripts/depguard.sh" report [directory]
```

### Pro Tier ($19/user/month — requires DEPGUARD_LICENSE_KEY)

#### `depguard hooks install`
Install git hooks that scan dependencies on every commit that modifies lockfiles.

```bash
bash "<SKILL_DIR>/scripts/depguard.sh" hooks install
```

**What it does:**
1. Validates Pro+ license
2. Installs lefthook pre-commit hook targeting lockfile changes
3. On every commit that modifies package-lock.json, yarn.lock, Cargo.lock, etc.: runs vulnerability scan, blocks commit if critical/high vulns found

#### `depguard hooks uninstall`
Remove DepGuard git hooks.

```bash
bash "<SKILL_DIR>/scripts/depguard.sh" hooks uninstall
```

#### `depguard watch [directory]`
Continuous monitoring — re-scans on any lockfile change.

```bash
bash "<SKILL_DIR>/scripts/depguard.sh" watch [directory]
```

#### `depguard fix [directory]`
Auto-fix vulnerabilities by upgrading to patched versions where available.

```bash
bash "<SKILL_DIR>/scripts/depguard.sh" fix [directory]
```

### Team Tier ($39/user/month — requires DEPGUARD_LICENSE_KEY with team tier)

#### `depguard policy [directory]`
Enforce a dependency policy: block specific licenses, require minimum versions, deny specific packages.

```bash
bash "<SKILL_DIR>/scripts/depguard.sh" policy [directory]
```

#### `depguard sbom [directory]`
Generate a Software Bill of Materials (SBOM) in CycloneDX or SPDX format.

```bash
bash "<SKILL_DIR>/scripts/depguard.sh" sbom [directory]
```

#### `depguard compliance [directory]`
Generate a compliance report for auditors — maps licenses to categories (permissive, copyleft, proprietary, unknown).

```bash
bash "<SKILL_DIR>/scripts/depguard.sh" compliance [directory]
```

## Supported Package Managers

| Manager | Lockfile | Audit Tool |
|---------|----------|------------|
| npm | package-lock.json | npm audit |
| yarn | yarn.lock | yarn audit |
| pnpm | pnpm-lock.yaml | pnpm audit |
| pip | requirements.txt / Pipfile.lock | pip-audit / safety |
| cargo | Cargo.lock | cargo audit |
| go | go.sum | govulncheck |
| composer | composer.lock | composer audit |
| bundler | Gemfile.lock | bundle audit |
| maven | pom.xml | mvn dependency-check |
| gradle | build.gradle | gradle dependencyCheck |

## Configuration

Add to `~/.openclaw/openclaw.json`:

```json
{
  "skills": {
    "entries": {
      "depguard": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY",
        "config": {
          "severityThreshold": "high",
          "blockedLicenses": ["GPL-3.0", "AGPL-3.0"],
          "allowedLicenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
          "ignoredVulnerabilities": [],
          "autoFix": false,
          "sbomFormat": "cyclonedx"
        }
      }
    }
  }
}
```

## Important Notes

- **Free tier** works immediately — no configuration needed
- **All scanning happens locally** using native package manager audit tools
- **License validation is offline** — no phone-home
- Falls back to manifest parsing if native audit tools aren't available
- Supports monorepos — scans all workspaces/packages

## When to Use DepGuard

The user might say things like:
- "Scan my dependencies for vulnerabilities"
- "Check my package licenses"
- "Are any of my npm packages insecure?"
- "Generate a security audit report"
- "Set up dependency monitoring"
- "Block GPL dependencies in this project"
- "Generate an SBOM"
- "Check if we're compliant with our license policy"