Analyzing Dependencies

After setting up a Phylum project, you can begin analysis by running:

phylum analyze

The default response will provide an overall summary result to indicate whether the project's established policy has been met. If there are still packages being processed, an incomplete status will be indicated. Any policy violations will be reported, along with a link to the complete report.

❯ phylum analyze
✅ Successfully parsed lockfile "requirements.txt" as type: pip
✅ Successfully parsed lockfile "package-lock.json" as type: npm
✅ Job ID: 3accba15-b0dc-43d2-b8ce-f5700360e3bd

Phylum Supply Chain Risk Analysis — FAILURE

[npm] [email protected]
  [VLN] [email protected] is vulnerable to Regular Expression Denial of Service
[npm] [email protected]
  [AUT] Author of [email protected] is using a disposable email domain
[npm] [email protected]
  [VLN] [email protected] is vulnerable to Regular Expression Denial of Service
[pypi] [email protected]
  [MAL] [email protected] may be a typosquatted package
  [MAL] [email protected] is vulnerable to a dependency confusion attack.
[pypi] [email protected]
  [VLN] [email protected] is vulnerable to Vulnerable OpenSSL included
[pypi] [email protected]
  [LIC] Commercial license risk detected in [email protected]
[pypi] [email protected]
  [VLN] [email protected] is vulnerable to Improper Input Validation

You can find the interactive report here:
  https://app.phylum.io/projects/e5eab4d2-d27d-42ac-bbad-f3ff5c588f54?label=uncategorized

If you prefer JSON formatted output, you can leverage the --json flag.

phylum analyze --json > output.json

If the analysis fails the project's policy, the command's exit code will be set to 100.