DepGuard — Dependency Audit & License Compliance

DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.

Commands

Free Tier (No license required)

depguard scan [directory]

One-shot vulnerability and license scan of your project dependencies.

How to execute:

bash "<SKILL_DIR>/scripts/depguard.sh" scan [directory]

What it does:

1. Detects package manager (npm, yarn, pnpm, pip, cargo, go, composer, bundler, maven, gradle)
2. Runs native audit commands (npm audit, pip-audit, cargo audit, etc.)
3. Parses dependency manifests for license information
4. Generates a security report with severity levels
5. Lists packages with problematic or unknown licenses

Example usage scenarios:

• "Scan my dependencies for vulnerabilities" → runs depguard scan .
• "Check the licenses of my node modules" → runs depguard scan . --licenses-only
• "Are any of my packages insecure?" → runs depguard scan

depguard report [directory]

Generate a formatted dependency health report in markdown.

bash "<SKILL_DIR>/scripts/depguard.sh" report [directory]

Pro Tier ($19/user/month — requires DEPGUARD_LICENSE_KEY)

depguard hooks install

Install git hooks that scan dependencies on every commit that modifies lockfiles.

bash "<SKILL_DIR>/scripts/depguard.sh" hooks install

What it does:

1. Validates Pro+ license
2. Installs lefthook pre-commit hook targeting lockfile changes
3. On every commit that modifies package-lock.json, yarn.lock, Cargo.lock, etc.: runs vulnerability scan, blocks commit if critical/high vulns found

depguard hooks uninstall

Remove DepGuard git hooks.

bash "<SKILL_DIR>/scripts/depguard.sh" hooks uninstall

depguard watch [directory]

Continuous monitoring — re-scans on any lockfile change.

bash "<SKILL_DIR>/scripts/depguard.sh" watch [directory]

depguard fix [directory]

Auto-fix vulnerabilities by upgrading to patched versions where available.

bash "<SKILL_DIR>/scripts/depguard.sh" fix [directory]

Team Tier ($39/user/month — requires DEPGUARD_LICENSE_KEY with team tier)

depguard policy [directory]

Enforce a dependency policy: block specific licenses, require minimum versions, deny specific packages.

bash "<SKILL_DIR>/scripts/depguard.sh" policy [directory]

depguard sbom [directory]

Generate a Software Bill of Materials (SBOM) in CycloneDX or SPDX format.

bash "<SKILL_DIR>/scripts/depguard.sh" sbom [directory]

depguard compliance [directory]

Generate a compliance report for auditors — maps licenses to categories (permissive, copyleft, proprietary, unknown).

bash "<SKILL_DIR>/scripts/depguard.sh" compliance [directory]

Supported Package Managers

Configuration

Add to ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "depguard": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY",
        "config": {
          "severityThreshold": "high",
          "blockedLicenses": ["GPL-3.0", "AGPL-3.0"],
          "allowedLicenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
          "ignoredVulnerabilities": [],
          "autoFix": false,
          "sbomFormat": "cyclonedx"
        }
      }
    }
  }
}

Important Notes

• Free tier works immediately — no configuration needed
• All scanning happens locally using native package manager audit tools
• License validation is offline — no phone-home
• Falls back to manifest parsing if native audit tools aren't available
• Supports monorepos — scans all workspaces/packages

When to Use DepGuard

The user might say things like:

• "Scan my dependencies for vulnerabilities"
• "Check my package licenses"
• "Are any of my npm packages insecure?"
• "Generate a security audit report"
• "Set up dependency monitoring"
• "Block GPL dependencies in this project"
• "Generate an SBOM"
• "Check if we're compliant with our license policy"