phylum analyze

Submit a request for analysis to the processing system

Usage: phylum analyze [OPTIONS] [LOCKFILE]...


The package lockfiles to submit


-l, --label <LABEL>
Specify a label to use for analysis

-j, --json
Produce output in json format (default: false)

-p, --project <PROJECT_NAME>
Specify a project to use for analysis

-g, --group <GROUP_NAME>
Specify a group to use for analysis

-t, --lockfile-type <TYPE>
Lockfile type used for all lockfiles (default: auto)
Accepted values: npm, yarn, pnpm, gem, pip, poetry, pipenv, mvn, gradle, nugetlock, msbuild, go, cargo, spdx, cyclonedx, auto

-v, --verbose...
Increase the level of verbosity (the maximum is -vvv)

-q, --quiet...
Reduce the level of verbosity (the maximum is -qq)

-h, --help
Print help


The following order is used to determine which lockfile will be analyzed:

  • CLI --lockfile parameters
  • Lockfiles in the .phylum_project file specified during phylum init
  • Recursive filesystem search

If any of these locations provides a lockfile, no further search will be done.
Recursive filesystem search takes common ignore files like .gitignore and
.ignore into account.


# Analyze your project's default lockfile
$ phylum analyze

# Analyze a Maven lockfile with a verbose json response
$ phylum analyze --json --verbose effective-pom.xml

# Analyze a PyPI lockfile and apply a label
$ phylum analyze --label test_branch requirements.txt

# Analyze a Poetry lockfile and return the results to the 'sample' project
$ phylum analyze -p sample poetry.lock

# Analyze a NuGet lockfile using the 'sample' project and 'sGroup' group
$ phylum analyze -p sample -g sGroup packages.lock.json

# Analyze a RubyGems lockfile and return a verbose response with only critical malware
$ phylum analyze --verbose --filter=crit,mal Gemfile.lock

# Analyze the `Cargo.lock` and `lockfile` files as cargo lockfiles
$ phylum analyze --lockfile-type cargo Cargo.lock lockfile