Command line
pkgradar — gate npm, PyPI, RubyGems, Cargo, Maven, NuGet & Composer releases without curl.
A single self-contained Rust binary that wraps PkgRadar’s gate and scan endpoints. Drop it into any CI runner, pre-commit hook, or local shell. No agents, no daemon. The Linux build is glibc-linked (Debian, Ubuntu, and most CI images) — on an Alpine/musl image, run it from a debian-slim base instead.
Install
Prebuilt binary (recommended)
Each release attaches binaries for Linux (x86_64, aarch64) and macOS (x86_64, aarch64). It uses rustlswith the host’s native CA roots, so it picks up the system CA bundle and doesn’t pull in OpenSSL at runtime. Linux builds are dynamically linked against glibc — use a Debian/Ubuntu base image (not Alpine/musl, which will fail to exec with exit 127).
# Detects your OS/arch, downloads the matching release, installs to /usr/local/bin.
curl -sSfL https://pkgradar.com/install.sh | sh
pkgradar versionThe installer resolves the latest release without hitting GitHub’s unauthenticated API rate limit (which 403s on CI runners that share an egress IP).
Install
From source
git clone https://github.com/PkgRadar/pkgradar-cli
cd pkgradar-cli
cargo install --path . --locked
pkgradar versionConfigure
One token, two env vars
export PKGRADAR_TOKEN="rps_..." # required
export PKGRADAR_BASE_URL="https://pkgradar.com" # optionalTokens are minted at /dashboard/keys. Both env vars can be overridden with the --token and --base-url flags.
Gate
Block a package version in CI
Returns exit 0 on pass, exit 1 when any spec breaches the --fail-on threshold. Drop this into a CI step and the runner stops the build.
pkgradar gate [email protected] [email protected] --fail-on high
# JSON output for downstream tooling
pkgradar gate @scope/[email protected] --format json --quietScan
See the full report
scan returns the static findings PkgRadar produced for a release — useful when you want to see why a release would be blocked rather than just whether it would.
pkgradar scan @scope/[email protected]
pkgradar scan @scope/[email protected] --format json | jq '.[0].findings'Exit codes
Predictable for CI
| Code | Meaning |
|---|---|
0 | All specs passed. |
1 | At least one spec was blocked by the gate. |
2 | Usage error (missing token, bad spec, bad flag). |
3 | Runtime error — a rejected/invalid token, an unparseable lockfile, or a network/TLS failure reaching the gate. |
See the canonical exit-code & verdict table in the docs for how these map to gate verdicts and fail-open behavior.
Source & transparency
Read the code
The CLI lives in its own public repository so customers can audit, vendor, or fork it without cloning the closed-source service. Apache-2.0 licensed. The composite GitHub Action lives at the repo root, so uses: PkgRadar/pkgradar-cli@v1 just works.
Lockfile mode
Scan every transitive in one call
Point --lockfile at a package-lock.json, pnpm-lock.yaml, or yarn.lock and the CLI extracts every name@version pair, dedupes them, and submits the batch in one gate call. .pkgradar.yml alongside the lockfile applies repo-local config: fail_on, timeout_ms, fail_open, and an allowlist of specs to skip.
# Auto-detect lockfile in the repo root
pkgradar gate --lockfile package-lock.json --fail-on high
# Or with a config file
cat > .pkgradar.yml <<EOF
fail_on: high
fail_open: true
allowlist:
- "@types/[email protected]" # reviewed internally
EOF
pkgradar gate --lockfile pnpm-lock.yaml