Setup & workflow

From zero to full dependency graph in 18 minutes

Connect your repo, configure your policy file, let Depswright do the resolution work. Here's exactly what happens.

  1. Connect your repository

    Install the Depswright GitHub App (or GitLab integration) from your repo settings. Takes about 60 seconds. We request read-only access to manifests — no write tokens, no production environment access.

    terminal — CLI alternative 
    $ npm install -g @depswright/cli
$ depswright init
✓ Logged in as [email protected]
✓ Linked repo acme/payments-service
✓ Ready. Run: depswright scan

  2. Create your policy file

    Drop a depswright.yml in your repo root. Define license policies, set thresholds for maintainer health scores, and configure which severity levels block CI. Most teams start with defaults and tune from there.

    depswright.yml 
    version: 1
policy:
  license:
    deny: ["AGPL-3.0", "GPL-2.0"]
  maintainer_health:
    fail_below: 20
    warn_below: 40
  conflicts:
    fail_on: semver_incompatible

  3. Run your first scan

    Depswright reads your lockfiles — package-lock.json, Pipfile.lock, Cargo.lock, etc. — resolves the full transitive graph, and produces a structured report within seconds.

    first scan output 
    $ depswright scan
Resolving npm (package-lock.json)...
Graph: 489 packages (42 direct, 447 transitive)
Checking licenses, health, conflicts...
 
  WARN  [email protected]  health:34  (warn_below:40)
  FAIL  [email protected]  health:12  (fail_below:20)
 
Run depswright report --open for full details.

  4. Wire it into CI/CD

    Add the Depswright step to your pipeline. Use fail_on: critical to gate merges, or warn_only: true for a softer rollout. The action posts inline PR annotations — no hunting through logs.

    .github/workflows/deps.yml 
    - name: Dependency audit
  uses: depswright/action@v2
  with:
    api_key: ${{ secrets.DEPSWRIGHT_KEY }}
    fail_on: critical
    annotate_pr: true
    post_summary: true

  5. Enable continuous monitoring

    Depswright checks your graph on a schedule — daily by default, configurable down to hourly. When an upstream release changes a package's license or a maintainer goes inactive, you get an alert before your next CI run catches it.

    depswright.yml — monitor config 
    monitor:
  schedule: "0 9 * * *"  # 9am daily
  notify:
    slack_webhook: ${{ secrets.SLACK_HOOK }}
    email: [email protected]
    jira_project: ENG

  6. Review the dashboard

    The Depswright dashboard shows your dependency graph visually, surfaces the riskiest packages first, and tracks remediation progress over time. Share a scan permalink with your team or export for security audits.

    report summary 
    ✓ 462 packages healthy
⚠ 1 health warning  — [email protected]
✗ 1 policy violation — [email protected]
 
Suggested fix: replace xml-parse-lite with
[email protected] (health: 89, MIT)
 
Report: https://app.depswright.com/r/def456

In the wild

From the team that shipped it

"We got burned by an abandoned maintainer three times before we built Depswright. The fourth time, we found out via our own tool six weeks before anyone noticed the package was effectively dead. That's the workflow we wanted to give everyone."

— Marcus Chen, founder

All six steps, under 18 minutes.

Free tier for solo devs. No credit card required to start.

Start Free Trial Quickstart Guide