SCA Scan
Software Composition Analysis (SCA) identifies known vulnerabilities (CVEs) in your project’s third-party libraries and dependencies. Gerion uses Google’s OSV-Scanner, which queries the OSV database.
Run
gerion sca-scan [PATH]# Scan the current directorygerion sca-scan .
# Save results as JSONgerion sca-scan . --format json --output-file sca.json
# Send results to the Gerion APIgerion sca-scan . --api-url $GERION_API_URL --api-key $GERION_API_KEYSupported ecosystems
| Ecosystem | Recognized files |
|---|---|
| Node.js | package-lock.json, yarn.lock, pnpm-lock.yaml |
| Python | requirements.txt, Pipfile.lock, poetry.lock, pyproject.toml |
| Go | go.mod, go.sum |
| Rust | Cargo.lock |
| Java / Maven | pom.xml |
| Java / Gradle | gradle.lockfile |
| Ruby | Gemfile.lock |
| PHP | composer.lock |
| .NET | packages.lock.json, packages.config |
| Swift | Package.resolved |
| Dart / Flutter | pubspec.lock |
| Conan (C/C++) | conan.lock |
| Linux (Alpine) | installed system packages |
| Linux (Debian/Ubuntu) | dpkg database |
Options
| Option | Description |
|---|---|
--format | Output format: json | markdown | sarif |
--output-file | Save results to a file (disables API submission) |
--api-url | Gerion API Gateway URL |
--api-key | M2M API key |
--timeout | Timeout in seconds (default: 180) |
--log-level | debug | info | warning | error |
Automatic false positives
If the installed package version is greater than or equal to the version that fixes the vulnerability, Gerion automatically marks the finding as a false positive and does not include it in the results.