CLI Reference
Every dg command, grouped by what you'd use it for. The CLI is intentionally small — no tuning flags, no config file, no exit-code taxonomy.
Commands
Daily use
Run these from your terminal day-to-day.
dg scan
Audit this project's dependencies for supply-chain risks. Read-only — installs nothing. Reads every npm + Python lockfile it finds (package-lock.json, npm-shrinkwrap.json, yarn.lock, pnpm-lock.yaml, requirements*.txt, poetry.lock, Pipfile.lock), including nested projects in a monorepo. Pretty output in a terminal; machine JSON when piped or in CI.
dg scan
dg licenses
SPDX license report for the dependency tree, grouped by risk category. Same discovery as dg scan; pretty in a terminal, JSON when piped.
dg licenses
Install protection
Wired automatically after npm install -g @westbayberry/dg. No prefix, no setup step.
npm install <pkg> · pip install <pkg>
Your normal install commands scan the full dependency tree before anything reaches disk. A clean install proceeds untouched; a high-risk package is blocked — in a terminal you're asked to confirm (y/N, default No), and in CI / non-interactive shells it's refused outright. Covers npm and pip / pip3, including python -m pip install. If the scan can't reach the API, the install proceeds (fail-open) so an outage never blocks you.
npm install lodash pip install requests python -m pip install black
dg hook install
Add a git pre-commit hook that scans lockfile changes (npm + Python, across nested projects) before each commit. Detects existing Husky / Lefthook setups and integrates with them. A high-risk change blocks the commit; git commit --no-verify bypasses.
dg hook install
dg hook uninstall
Remove the git pre-commit hook from this repo.
dg hook uninstall
Account
Sign in for the dashboard and scan history. Scanning works without it.
dg login
Sign in via your browser, linking this machine to your westbayberry.com account. For CI, pass a token instead of the browser flow.
dg login dg login --token dg_live_...
dg logout
Remove saved credentials.
dg logout
Maintenance
dg update
Install a newer CLI version. Detects the package manager dg was installed through (npm / pnpm / yarn).
dg update
dg uninstall
Remove everything dg has written locally that npm uninstall -g can't: the PATH shims, the dg-managed line in your shell rc, the Python import hooks, per-repo git hooks, and ~/.dg. Run npm uninstall -g @westbayberry/dg afterward to remove the package itself.
dg uninstall dg uninstall --yes # skip the confirmation prompt (scripts)
dg version
Show the installed CLI version. dg help lists the commands above.
dg version
Output & flags
The CLI is deliberately flag-free. Output adapts to context — human-readable in a
terminal, machine JSON when stdout is piped or CI is set — so there's no
--json / --format / --mode to remember. The only two
flags are:
dg login --token <key>Authenticate in CI without the browser flow.dg uninstall --yesSkip the confirmation prompt for scripted removal.
Exit codes
Binary, so git hooks and shells can read it directly:
| Code | Meaning |
|---|---|
| 0 | Clean — the install / commit is allowed. Also returned when a scan can't complete (network or API error): dg fails open so an outage never blocks your work. |
| non-zero | A block-level package was found and the action was refused (install not run, commit blocked). In a terminal you're offered a y/N override first. |
Environment variables
Public knobs only. Anything not listed here is internal and may change without notice.
DG_API_KEYCI auth token (alternative todg login). Adg_live_*ordg_test_*key.~/.dg/config.jsonwins if both are set.NO_COLORDisable ANSI colors (also auto-detected when stdout isn't a TTY).CISwitch to non-interactive, machine-readable output (auto-detected on GitHub Actions, GitLab CI, etc.).
See also
- Getting Started — setup walkthrough and quickstart.
- Blocking behavior — how the CLI decides to block vs allow.
- Integrations — GitHub App, CI, Slack/webhooks.