Legacy CLI

​​​​​​The Legacy CLI has now been deprecated and will stop working on May 2nd 2024. If you're interested in integrating with us using our CLI, please check out the documentation for Debricked CLI. If you’re a user of the Legacy CLI, learn how to migrate to the Debricked CLI.

The Legacy CLI supports uploading and checking your dependency files for vulnerabilities from your console. This could be useful when you want to check whether your dependency files are vulnerable before uploading them to your repository or in a custom CI pipeline. This tool also powers some of our integrations, such as the Bitbucket “pipe” integration.

You can chose to install the CLI tool locally, or by using Docker.

Local installation

  1. PHP is required, run php -v on your system to see if it is installed or not. If it is not installed, refer to your favourite package manager or, if you are on Windows, install the - latest version available on PHP for Windows

  2. Install the CLI tool: - Install using composer (recommended, omit global if you want to install into current project) composer global require debricked/cli, or - Download it manually from GitHub

  3. [Windows only] In order to be able to run the first time setup, cd to your installation directory such as cd ~/AppData/Roaming/Composer/vendor/debricked/cli, and then execute bin/console debricked:scan --help

  4. Done! You can now run any of the available commands using php ~/.composer/vendor/debricked/cli/bin/console *command*. If you are using Windows it will be available at php ~/- AppDataRoaming/Composer/vendor/debricked/cli/bin/console *command*

When running on Windows, make sure to execute the commands using a bash script (.sh) compatible shell. If you do not have a bash script compatible shell installed already, we recommend the one bundled with Git for windows called “Git Bash”.

Available commands

All commands have a help command available listing possible arguments and options by passing the flag “help”, for example:

php bin/console debricked:scan --help

All-in-one vulnerability scan

Combines uploading dependency files with monitoring their vulnerability status.

php bin/console debricked:scan "" your-access-token *repository_name* *commit_name* *repository url* cli


php bin/console debricked:scan user1@email.com pass1 myproduct 1.0.1 local cli

Using an access token instead of a username and password

Replace the username with '' and use the access token as the password. This can be done for all examples below as well.


php bin/console debricked:scan "" your-access-token myproduct 1.0.1 local cli

Upload dependency files and trigger a vulnerability scan

php bin/console debricked:find-and-upload-files "" your-access-token *repository_name* *commit_name* *repository url* cli

Check vulnerability scan

php bin/console debricked:check-scan "" your-access-token *upload_id*

License report

To generate a license report, you first need to perform a regular vulnerability scan using either the CLI as above, or by using one of our CI/Build systems. After performing a scan, you get an upload id, for the example below, the upload id is 1443821.

After finding the upload id, you also need to decide which use case that is most suitable for your project. The chosen use case will affect the risk assessment for licenses found in your dependencies. To start, you need to set the repository use case by following the instructions for License configuration.

After this, run the following command to generate the license report.

php bin/console debricked:license-report "" your-access-token *upload_id*

By default, the output is written directly to the terminal formatted as JSON. If you prefer a CSV format, you can add the flag -f csv. Additionally, if you prefer to have the license report exported to a file, instead of printed to the terminal, add the flag -o file.json or -o file.csv.


php bin/console debricked:license-report user1@email.com pass1 1443821 -f csv -o myreport.csv

Code snippet analysis

As an additional feature, not included in the default subscription, you can also perform code snippet analysis. This feature allows you to detect code snippets that have been copied into your own application's source code from other projects, and the licenses that these code snippets have. To enable code snippet analysis, first contact Debricked Sales. After this, you can generate reports using the additional -s / --snippets flag to the license report command above.


  • If Composer was used to install it globally, then use the uninstall command:

    composer global remove debricked/cli
  • If the project was cloned from GitHub directly, then the folder containing the project shall be deleted

Using Docker

To run the tool using only Docker, instead of a local install, use it as below, where the current directory is assumed to contain the project you wish to scan.

docker run -it --rm -v $PWD:/data debricked/debricked-cli <command>

A practical example of scanning a local repository in your current working directory:

docker run -it --rm -v $PWD:/data debricked/debricked-cli debricked:scan user@example.com password myrepository mycommit null cli

To be clear, you need to modify these parts of the command:

  • user@example.com and password: Replace with your e-mail and password to the service. Alternatively, use an access token as password, and set the username to the empty string ''.

  • myrepository: Replace with the name of the repository.

  • mycommit: A unique identifier (for example the commit hash in Git) for this particular commit.

You do not need to replace null cli. It is simply a marker used by the server to distinguish between different integrations.

If you are building your CI pipeline integration, you can typically get myrepository and mycommit as environmental variables from you CI system.

Using debricked-cli Docker image behind proxy

In order to run the tool behind a proxy you need to set the http_proxy variable for the Docker environment. Provided that you have http_proxy set in your environment, it would look like this:

docker run -it --rm -v $PWD:/data -e https_proxy=$http_proxy -e http_proxy=$http_proxy debricked/debricked-cli debricked:scan user@example.com password myrepository mycommit null cli

If you use languages that need a copy of the whole repository

In most cases, such as above, the tool only needs to upload your dependency files to the service. However, for certain languages, you may need to upload a complete copy of the repository. You then need to add the --upload-all-files=true to the command, such as in the following example.

docker run -it --rm -v $PWD:/data debricked/debricked-cli debricked:scan --upload-all-files=true user@example.com password myrepository mycommit null cli

Source-codeless scans

For Maven and Gradle builds, that normally require a complete copy of the source code, an alternative solution can be used as well. This requires you to generate certain dependency tree artifacts locally, and then submit them to Debricked. By doing so, you can avoid submitting a complete copy of the repository to Debricked, while still getting optimal dependency results. However, this requires you to perform certain steps as a part of your pipeline.

Last updated