PkgRadar

Command line

pkgradar — gate npm, PyPI, RubyGems, Cargo, Maven, NuGet, Composer, Go & Pub releases without curl.

A single static Rust binary that wraps PkgRadar’s gate and scan endpoints. Drop it into any CI runner, pre-commit hook, or local shell. No agents, no daemon, no system dependencies beyond TLS roots.

Get an API keyCI snippets

Install

Prebuilt binary (recommended)

Each release attaches binaries for Linux (x86_64, aarch64) and macOS (x86_64, aarch64). The binary is statically linked against rustls-tls-native-roots, so it picks up the host’s CA bundle and doesn’t pull in OpenSSL at runtime.

TAG=$(curl -sSfL https://api.github.com/repos/PkgRadar/pkgradar-cli/releases/latest \
  | grep '"tag_name"' | head -1 | sed -E 's/.*"tag_name": "([^"]+)".*/\1/')
ARCH=$(uname -m); OS=$(uname -s | tr '[:upper:]' '[:lower:]')
case "$OS-$ARCH" in
  linux-x86_64)   ASSET="pkgradar-x86_64-unknown-linux-gnu.tar.gz" ;;
  linux-aarch64)  ASSET="pkgradar-aarch64-unknown-linux-gnu.tar.gz" ;;
  darwin-x86_64)  ASSET="pkgradar-x86_64-apple-darwin.tar.gz" ;;
  darwin-arm64)   ASSET="pkgradar-aarch64-apple-darwin.tar.gz" ;;
esac
curl -sSfL "https://github.com/PkgRadar/pkgradar-cli/releases/download/${TAG}/${ASSET}" \
  | tar -xz
sudo install -m 0755 pkgradar /usr/local/bin/

pkgradar version

Install

From crates.io

cargo install pkgradar --locked
pkgradar version

Install

From source

git clone https://github.com/PkgRadar/pkgradar-cli
cd pkgradar-cli
cargo install --path . --locked

pkgradar version

Configure

One token, two env vars

export PKGRADAR_TOKEN="rps_..."        # required
export PKGRADAR_BASE_URL="https://pkgradar.com"   # optional

Tokens are minted at /dashboard/keys. Both env vars can be overridden with the --token and --base-url flags.

Gate

Block a package version in CI

Returns exit 0 on pass, exit 1 when any spec breaches the --fail-on threshold. Drop this into a CI step and the runner stops the build.

pkgradar gate [email protected] [email protected] --fail-on high

# JSON output for downstream tooling
pkgradar gate @scope/[email protected] --format json --quiet

Scan

See the full report

scan returns the static findings PkgRadar produced for a release — useful when you want to see why a release would be blocked rather than just whether it would.

pkgradar scan @scope/[email protected]
pkgradar scan @scope/[email protected] --format json | jq '.[0].findings'

Exit codes

Predictable for CI

CodeMeaning
0All specs passed.
1At least one spec was blocked by the gate.
2Usage error (missing token, bad spec, bad flag).
3Network, TLS, or installer failure.

Source & transparency

Read the code

The CLI lives in its own public repository so customers can audit, vendor, or fork it without cloning the closed-source service. Apache-2.0 licensed. The composite GitHub Action lives at the repo root, so uses: PkgRadar/pkgradar-cli@v1 just works.

Open pkgradar-cli on GitHub

Lockfile mode

Scan every transitive in one call

Point --lockfile at a package-lock.json, pnpm-lock.yaml, or yarn.lock and the CLI extracts every name@version pair, dedupes them, and submits the batch in one gate call. .pkgradar.yml alongside the lockfile applies repo-local config: fail_on, timeout_ms, fail_open, and an allowlist of specs to skip.

# Auto-detect lockfile in the repo root
pkgradar gate --lockfile package-lock.json --fail-on high

# Or with a config file
cat > .pkgradar.yml <<EOF
fail_on: high
fail_open: true
allowlist:
  - "@types/[email protected]"  # reviewed internally
EOF
pkgradar gate --lockfile pnpm-lock.yaml

Roadmap

What’s next for the CLI

GitHub Actions annotation output, Yarn Berry support, a Homebrew tap, a Scoop bucket, and a Docker image. Email [email protected]if there’s a packaging format you need first.