Installing the Protean command line tool
curl -fsSL "https://protean-labs.io/cdn/sh/install" | sh
or
wget -q0- "https://protean-labs.io/cdn/sh/install" | sh
Using Protean
Once installed you can execute protean
with no arguments to get the usage information:
Version: 1.1.25
Usage:
protean [options...] <cmd>
pip list --format=json | protean -stdin scan
Options:
-stdin read input from STDIN
-f file [FILENAME]
-v verbose
-q quiet
--help, -h help text
--project-id id of the project, can also set PROTEAN_LABS_PROJECT_ID env var
--force-exit-0 forces protean to exit with status code 0 regardless of outcome
Commands:
scan Scans your projects dependencies for vulnerable or outdated versions
Notes:
Package list must be a JSON string with shape:
[{"name": "pkg_name", "pkg_version"}, ...]
The PROTEAN_LABS_API_KEY env variable is required
The protean
tool currently supports 3 different types of input:
- requirements.txt
- package.json
- STDIN json
When using STDIN input the JSON shape is required to match:
[{"name": "pkg_name", "pkg_version"}, ...]
To scan your dependencies in a requirements.txt or package.json file you can pass the filepath via the -f
flag:
protean -f requirements.txt scan
Exit code
protean
is designed to be smart, if we detect a Critical or High sev CVE while scanning your dependencies we'll return
a non-zero exit code which will halt CI pipelines allowing you to fix any issues before deploying.
If you need to force it through even with some vulnerable dependencies then you can just pass the --force-exit-0
flag
and it will return a 0
exit code allowing your pipeline to pass.
This is only intended to be used during emergencies, but we're all adults here so we trust you'll use it wisely.