1. Get an API key
Sign in (Google or a magic link — no password), then create a key from Dashboard → Keys. Keep it in CI as a secret, e.g. PKGRADAR_TOKEN.
2. Add the gate to your pipeline
GitHub Actions — one step. It auto-detects your lockfiles and fails the job on a high-risk dependency:
- name: PkgRadar gate
uses: PkgRadar/pkgradar-cli@v1
with:
token: ${{ secrets.PKGRADAR_TOKEN }}
fail-on: highGitLab CI — include the hosted template and set your token:
include:
- remote: 'https://pkgradar.com/templates/pkgradar.gitlab-ci.yml'
variables:
PKGRADAR_TOKEN: $PKGRADAR_TOKENAny other CI — install the CLI and run the gate:
cargo install pkgradar --locked
pkgradar gate --lockfile package-lock.json --fail-on highSee the full CLI reference for install options (prebuilt binaries, supported lockfiles), flags, and exit codes.
3. How the gate decides
Each dependency resolves to a verdict — high (block), review (inspect), or low (pass). The gate returns HTTP 200 when the build is allowed and 422when it's blocked; --fail-on (or fail_on in a .pkgradar.yml) chooses whether you block on high only or also on review. Already-known dependencies are served from a shared cache, so only genuinely new releases cost a scan. For the precision/recall behind the verdicts, see accuracy; for what the detectors look for, see methodology.
Check a package directly
No setup needed — the public API returns a verdict for any package:
curl 'https://pkgradar.com/api/public/pkg?ecosystem=npm&name=lodash'Or look one up on the package lookup.
From your AI assistant (MCP)
Check packages before you install or recommend them, right inside Claude Code, Cursor, or any MCP client:
claude mcp add pkgradar -- npx -y @pkgradar/mcpDetails on the MCP server page.
Need a hand?
Email [email protected] for setup or volume questions, or open a ticket from your dashboard. See pricing for plans and quotas.