PkgRadar

Command line

pkgradar — gate npm, PyPI, RubyGems, Cargo, Maven, NuGet & Composer releases without curl.

A single self-contained Rust binary that wraps PkgRadar’s gate and scan endpoints. Drop it into any CI runner, pre-commit hook, or local shell. No agents, no daemon. The Linux build is glibc-linked (Debian, Ubuntu, and most CI images) — on an Alpine/musl image, run it from a debian-slim base instead.

Get a free API keyCI snippets

Install

Prebuilt binary (recommended)

Each release attaches binaries for Linux (x86_64, aarch64) and macOS (x86_64, aarch64). It uses rustlswith the host’s native CA roots, so it picks up the system CA bundle and doesn’t pull in OpenSSL at runtime. Linux builds are dynamically linked against glibc — use a Debian/Ubuntu base image (not Alpine/musl, which will fail to exec with exit 127).

# Detects your OS/arch, downloads the matching release, installs to /usr/local/bin.
curl -sSfL https://pkgradar.com/install.sh | sh

pkgradar version

The installer resolves the latest release without hitting GitHub’s unauthenticated API rate limit (which 403s on CI runners that share an egress IP).

Install

From source

git clone https://github.com/PkgRadar/pkgradar-cli
cd pkgradar-cli
cargo install --path . --locked

pkgradar version

Configure

One token, two env vars

export PKGRADAR_TOKEN="rps_..."        # required
export PKGRADAR_BASE_URL="https://pkgradar.com"   # optional

Tokens are minted at /dashboard/keys. Both env vars can be overridden with the --token and --base-url flags.

Gate

Block a package version in CI

Returns exit 0 on pass, exit 1 when any spec breaches the --fail-on threshold. Drop this into a CI step and the runner stops the build.

pkgradar gate [email protected] [email protected] --fail-on high

# JSON output for downstream tooling
pkgradar gate @scope/[email protected] --format json --quiet

Scan

See the full report

scan returns the static findings PkgRadar produced for a release — useful when you want to see why a release would be blocked rather than just whether it would.

pkgradar scan @scope/[email protected]
pkgradar scan @scope/[email protected] --format json | jq '.[0].findings'

Exit codes

Predictable for CI

CodeMeaning
0All specs passed.
1At least one spec was blocked by the gate.
2Usage error (missing token, bad spec, bad flag).
3Runtime error — a rejected/invalid token, an unparseable lockfile, or a network/TLS failure reaching the gate.

See the canonical exit-code & verdict table in the docs for how these map to gate verdicts and fail-open behavior.

Source & transparency

Read the code

The CLI lives in its own public repository so customers can audit, vendor, or fork it without cloning the closed-source service. Apache-2.0 licensed. The composite GitHub Action lives at the repo root, so uses: PkgRadar/pkgradar-cli@v1 just works.

Open pkgradar-cli on GitHub

Lockfile mode

Scan every transitive in one call

Point --lockfile at a package-lock.json, pnpm-lock.yaml, or yarn.lock and the CLI extracts every name@version pair, dedupes them, and submits the batch in one gate call. .pkgradar.yml alongside the lockfile applies repo-local config: fail_on, timeout_ms, fail_open, and an allowlist of specs to skip.

# Auto-detect lockfile in the repo root
pkgradar gate --lockfile package-lock.json --fail-on high

# Or with a config file
cat > .pkgradar.yml <<EOF
fail_on: high
fail_open: true
allowlist:
  - "@types/[email protected]"  # reviewed internally
EOF
pkgradar gate --lockfile pnpm-lock.yaml

Roadmap

What’s next for the CLI

GitHub Actions annotation output, Yarn Berry support, a Homebrew tap, a Scoop bucket, and a Docker image. Email [email protected]if there’s a packaging format you need first.