Use this file to discover all available pages before exploring further.
KiroGraph’s security commands give you graph-aware vulnerability analysis — not just a list of CVEs, but a reachability verdict for each one, mapped through the call graph to your HTTP entry points. All security commands require enableSecurity: true in .kirograph/config.json. Re-run kirograph index after enabling it. The kg short alias works for every command shown here.
Security analysis also requires enableArchitecture: true in config.json. Both flags must be set before indexing.
Prints a security posture overview for the project: total dependency count, vulnerability count, reachability verdict breakdown, stale data warnings, and a count of dependencies with version staleness scores above the threshold. If enablePatterns is also enabled, it includes a summary of SAST pattern-match findings.
Lists all vulnerabilities found in project dependencies, enriched with EPSS exploitation probability scores and graph-derived reachability verdicts. Each entry shows the CVE ID, affected package, resolved version, severity score, EPSS score, and whether the vulnerable code is actually reachable from an entry point.
Checks whether a specific CVE or dependency is reachable from an application entry point, tracing the call path through the graph. Shows: verdict (affected / not affected / under investigation), the number of entry points that can reach the vulnerability, up to five call paths, unresolved symbols, and an impact summary (affected layers and distinct paths).
Maps HTTP routes to vulnerable dependencies by combining the route graph with reachability data. Shows which public-facing endpoints can reach vulnerable code — the highest-priority items for remediation.
Performs lightweight SAST-style data-flow analysis, detecting dangerous flows such as SQL injection, path traversal, eval injection, and similar sinks fed by untrusted sources.
Exports a CycloneDX 1.5 Software Bill of Materials (SBOM) in JSON format to stdout or a file. The SBOM covers all resolved dependencies discovered during indexing.
Exports a CycloneDX 1.5 Vulnerability Exploitability eXchange (VEX) document in JSON format. The VEX document records the reachability verdict for each CVE, enabling downstream tools to suppress non-reachable findings.
Generates a self-contained HTML security dashboard covering vulnerabilities, reachability verdicts, dependency licenses, staleness scores, and supply-chain health. The output is a single .html file you can open in any browser or share with your team — no server required.
# Generate the dashboard (written to .kirograph/security-export.html)kirograph security export# Write to a custom pathkirograph security export --output reports/security.html# Generate and open in the browser straight awaykirograph security export --open
Generates a structured CI security report in JSON, SARIF, or human-readable text format. Exits with code 1 if the specified failure condition is met — designed to gate pull requests on reachable vulnerabilities.
# Default: JSON, fail on any reachable vulnerabilitykirograph security ci-report# SARIF format, fail only on criticalkirograph security ci-report --format sarif --fail-on critical --output ci.sarif# Text summary for human-readable PR commentskirograph security ci-report --format text
Assesses supply-chain health for each dependency: OpenSSF Scorecard scores, maintainer count, package age, and a computed risk level. Optionally re-fetches data from registries and the Scorecard API.
kirograph supply-chain# Show only high and critical risk packageskirograph supply-chain --threshold high# Refresh from registries firstkirograph supply-chain --refresh --format json
Detects dependency confusion attack vectors: internal packages that share a name with (or are close in name to) packages available on public registries, and potential typosquatting candidates.
Checks each indexed dependency against its upstream registry (npm, PyPI, crates.io, RubyGems, Packagist) and assigns a staleness score between 0.0 (current) and 1.0 (very stale). Use this to surface dependencies that have drifted far behind the latest release.
kirograph staleness# Only notably stale packages (score ≥ 0.5)kirograph staleness --threshold 0.5# Refresh version data from registries firstkirograph staleness --refreshkirograph staleness --format json
Lists the license of every dependency and checks them against a configurable policy. Built-in deny list includes GPL-family and AGPL licenses; the warn list includes LGPL. Both lists can be overridden per project.
Parses and displays all dependency manifest files found in the project (npm, Cargo, Go modules, Python, Maven, Gradle), along with package versions, licenses, and any version drift across manifests in a monorepo.
kirograph manifest# Inspect a specific packagekirograph manifest --package lodash# Show only npm packages with version driftkirograph manifest --ecosystem npm --drift
Suppresses a CVE to mark it as a false positive or accepted risk. Suppressions are stored in .kirograph/suppressions.json and are respected by kirograph vulns and kirograph security ci-report. Use kirograph vuln suppressions to list all active suppressions.
# Suppress a CVE with a reasonkirograph vuln suppress CVE-2024-1234 --reason "Not reachable in our deployment"# Suppress with an expiry datekirograph vuln suppress CVE-2024-5678 --reason "Accepted risk" --expires 2025-12-31# Lift a suppressionkirograph vuln unsuppress CVE-2024-1234# List all active suppressionskirograph vuln suppressions# JSON outputkirograph vuln suppressions --format json
Tracks remediation SLA: shows how long each vulnerability has been open, whether a fix version is available, and whether the fix is overdue based on severity-defined SLA thresholds.