Analyzing Dependencies
After setting up a Phylum project, you can begin analysis by running:
phylum analyze
The default response will provide an overall summary result to indicate whether the project's established policy has been met. If there are still packages being processed, an incomplete status will be indicated. Any policy violations will be reported, along with a link to the complete report.
❯ phylum analyze
✅ Successfully parsed dependency file "requirements.txt" as type "pip"
✅ Successfully parsed dependency file "package-lock.json" as type "npm"
✅ Job ID: 3accba15-b0dc-43d2-b8ce-f5700360e3bd
Phylum Supply Chain Risk Analysis — FAILURE
[npm] cacheable-request@6.1.0
[VLN] cacheable-request@6.1.0 is vulnerable to Regular Expression Denial of Service
[npm] ci-info@3.8.0
[AUT] Author of ci-info@3.8.0 is using a disposable email domain
[npm] trim@0.0.1
[VLN] trim@0.0.1 is vulnerable to Regular Expression Denial of Service
[pypi] crpytography@0.1
[MAL] crpytography@0.1 may be a typosquatted package
[MAL] crpytography@0.1 is vulnerable to a dependency confusion attack.
[pypi] cryptography@38.0.4
[VLN] cryptography@38.0.4 is vulnerable to Vulnerable OpenSSL included
[pypi] ghostscript@0.7
[LIC] Commercial license risk detected in ghostscript@0.7
[pypi] pyyaml@5.3.1
[VLN] PyYAML@5.3.1 is vulnerable to Improper Input Validation
You can find the interactive report here:
https://app.phylum.io/projects/e5eab4d2-d27d-42ac-bbad-f3ff5c588f54?label=uncategorized
If you prefer JSON formatted output, you can leverage the --json
flag.
phylum analyze --json > output.json
If the analysis fails the project's policy, the command's exit code will be set to 100
.