Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/davide-desio-eleva/kirograph/llms.txt

Use this file to discover all available pages before exploring further.

KiroGraph’s security commands give you graph-aware vulnerability analysis — not just a list of CVEs, but a reachability verdict for each one, mapped through the call graph to your HTTP entry points. All security commands require enableSecurity: true in .kirograph/config.json. Re-run kirograph index after enabling it. The kg short alias works for every command shown here.
Security analysis also requires enableArchitecture: true in config.json. Both flags must be set before indexing.

kirograph security

Prints a security posture overview for the project: total dependency count, vulnerability count, reachability verdict breakdown, stale data warnings, and a count of dependencies with version staleness scores above the threshold. If enablePatterns is also enabled, it includes a summary of SAST pattern-match findings.

Flags

FlagDescription
--refresh-stalenessFetch latest version data from package registries before displaying the overview
--fail-on <condition>Exit with code 1 if condition is met. Supported value: affected

Examples

kirograph security

# Re-query registries for latest package versions first
kirograph security --refresh-staleness

# Exit 1 if any vulnerability is reachable (for CI gating)
kirograph security --fail-on affected

kg security /workspace/myproject
Example output sections:
  Security Overview

  Dependencies:          148
  Vulnerabilities:       12

  Top risk:              CVE-2024-28849 (Risk: 9.1) in cross-fetch

  Reachability Verdicts

  ● Affected:              3
  ● Not affected:          7
  ● Under investigation:   2

kirograph vulns

Lists all vulnerabilities found in project dependencies, enriched with EPSS exploitation probability scores and graph-derived reachability verdicts. Each entry shows the CVE ID, affected package, resolved version, severity score, EPSS score, and whether the vulnerable code is actually reachable from an entry point.

Flags

FlagDescription
--severity <level>Filter by severity: critical, high, medium, low
--verdict <verdict>Filter by reachability verdict: affected, not_affected, under_investigation
--epss <threshold>Show only vulnerabilities with EPSS ≥ threshold (0.0–1.0)
--staleShow the staleness score of the affected dependency alongside each CVE
--refreshRe-query OSV and configured vulnerability databases before listing
--sort <key>Sort by: risk (default), cvss, epss, name
--add <cveId>Manually register a private CVE (requires --package and --version)
--package <name>Package name for manual CVE registration
--version <ver>Package version for manual CVE registration
--fail-on <condition>Exit 1 if condition is met: affected, any, critical, high, epss=N
--group-by <key>Group output by: workspace

Examples

# List all vulnerabilities
kirograph vulns

# Only critical and high, sorted by EPSS
kirograph vulns --severity critical --sort epss

# Only reachable vulnerabilities
kirograph vulns --verdict affected

# High-probability exploits only (EPSS ≥ 0.7)
kirograph vulns --epss 0.7

# Refresh vulnerability data from OSV first
kirograph vulns --refresh

# Exit 1 if any critical vulnerability is present
kirograph vulns --fail-on critical

# Manually register an internal CVE
kirograph vulns --add CVE-2024-9999 --package my-internal-lib --version 1.2.0

kg vulns --verdict affected --sort risk

kirograph reachability

Checks whether a specific CVE or dependency is reachable from an application entry point, tracing the call path through the graph. Shows: verdict (affected / not affected / under investigation), the number of entry points that can reach the vulnerability, up to five call paths, unresolved symbols, and an impact summary (affected layers and distinct paths).

Examples

# Check reachability by CVE ID
kirograph reachability CVE-2023-12345

# Check reachability by package name
kirograph reachability lodash

kg reachability CVE-2024-28849 /workspace/myproject

kirograph attack-surface

Maps HTTP routes to vulnerable dependencies by combining the route graph with reachability data. Shows which public-facing endpoints can reach vulnerable code — the highest-priority items for remediation.

Flags

FlagDescriptionDefault
--limit <n>Max routes to show20
--public-onlyShow only public/unauthenticated routesfalse
--format <fmt>text | jsontext

Examples

kirograph attack-surface

# Only unauthenticated routes
kirograph attack-surface --public-only

kirograph attack-surface --format json

kirograph security secrets

Scans source files for hardcoded secrets, credentials, API keys, and tokens using pattern-based detection.

Flags

FlagDescription
--include-testsInclude test files in the scan
--severity <level>Filter by severity: critical, high, medium, low
--format <fmt>text (default) | json

Examples

kirograph security secrets

# Include test files
kirograph security secrets --include-tests

# Critical findings only, JSON output
kirograph security secrets --severity critical --format json

kirograph security flows

Performs lightweight SAST-style data-flow analysis, detecting dangerous flows such as SQL injection, path traversal, eval injection, and similar sinks fed by untrusted sources.

Flags

FlagDescriptionDefault
--type <type>Filter by flow type: sql, xss, eval, deserialize, path, allall
--format <fmt>text | jsontext

Examples

kirograph security flows

# Only SQL injection findings
kirograph security flows --type sql

# Only XSS findings
kirograph security flows --type xss

kirograph security flows --format json

kirograph sbom

Exports a CycloneDX 1.5 Software Bill of Materials (SBOM) in JSON format to stdout or a file. The SBOM covers all resolved dependencies discovered during indexing.

Flags

FlagDescription
--output <file>Write the SBOM to a file instead of stdout

Examples

# Print SBOM to stdout
kirograph sbom

# Write to a file
kirograph sbom --output sbom.json

kg sbom --output reports/sbom.json

kirograph vex

Exports a CycloneDX 1.5 Vulnerability Exploitability eXchange (VEX) document in JSON format. The VEX document records the reachability verdict for each CVE, enabling downstream tools to suppress non-reachable findings.

Flags

FlagDescription
--output <file>Write the VEX document to a file instead of stdout

Examples

kirograph vex

kirograph vex --output vex.json

kirograph security export

Generates a self-contained HTML security dashboard covering vulnerabilities, reachability verdicts, dependency licenses, staleness scores, and supply-chain health. The output is a single .html file you can open in any browser or share with your team — no server required.

Flags

FlagDescriptionDefault
--output <file>Write the HTML dashboard to this path.kirograph/security-export.html
--openOpen the generated HTML file in the default browser immediatelyfalse

Examples

# Generate the dashboard (written to .kirograph/security-export.html)
kirograph security export

# Write to a custom path
kirograph security export --output reports/security.html

# Generate and open in the browser straight away
kirograph security export --open

kirograph security ci-report

Generates a structured CI security report in JSON, SARIF, or human-readable text format. Exits with code 1 if the specified failure condition is met — designed to gate pull requests on reachable vulnerabilities.

Flags

FlagDescriptionDefault
--format <fmt>json | sarif | textjson
--fail-on <condition>Exit 1 if condition is met: affected, any, criticalaffected
--output <file>Write the report to a file instead of stdout

Examples

# Default: JSON, fail on any reachable vulnerability
kirograph security ci-report

# SARIF format, fail only on critical
kirograph security ci-report --format sarif --fail-on critical --output ci.sarif

# Text summary for human-readable PR comments
kirograph security ci-report --format text

CI integration example

name: Security gate
on: [pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        run: npm ci

      - name: Sync KiroGraph index
        run: kirograph sync

      - name: Run security CI report
        run: |
          kirograph security ci-report \
            --format sarif \
            --fail-on affected \
            --output security.sarif

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: security.sarif

kirograph supply-chain

Assesses supply-chain health for each dependency: OpenSSF Scorecard scores, maintainer count, package age, and a computed risk level. Optionally re-fetches data from registries and the Scorecard API.

Flags

FlagDescriptionDefault
--threshold <level>Show only packages at or above this risk level: critical, high, medium, lowlow
--refreshRe-fetch data from registries and the Scorecard APIfalse
--format <fmt>table | jsontable

Examples

kirograph supply-chain

# Show only high and critical risk packages
kirograph supply-chain --threshold high

# Refresh from registries first
kirograph supply-chain --refresh --format json

kirograph dep-confusion

Detects dependency confusion attack vectors: internal packages that share a name with (or are close in name to) packages available on public registries, and potential typosquatting candidates.

Flags

FlagDescriptionDefault
--format <fmt>table | jsontable

Examples

kirograph dep-confusion

kirograph dep-confusion --format json

kirograph staleness

Checks each indexed dependency against its upstream registry (npm, PyPI, crates.io, RubyGems, Packagist) and assigns a staleness score between 0.0 (current) and 1.0 (very stale). Use this to surface dependencies that have drifted far behind the latest release.

Flags

FlagDescriptionDefault
--threshold <n>Show only packages with a staleness score ≥ n0.3
--refreshRe-query registries for the latest version data before listingfalse
--format <fmt>table | jsontable

Examples

kirograph staleness

# Only notably stale packages (score ≥ 0.5)
kirograph staleness --threshold 0.5

# Refresh version data from registries first
kirograph staleness --refresh

kirograph staleness --format json

kirograph licenses

Lists the license of every dependency and checks them against a configurable policy. Built-in deny list includes GPL-family and AGPL licenses; the warn list includes LGPL. Both lists can be overridden per project.

Flags

FlagDescription
--policyShow only policy violations
--deny <patterns>Override the deny list (comma-separated SPDX patterns, e.g. "GPL-*,AGPL-3.0")
--warn <patterns>Override the warn list (comma-separated SPDX patterns)
--format <fmt>table (default) | json

Examples

kirograph licenses

# Only violations
kirograph licenses --policy

# Custom deny list
kirograph licenses --deny "GPL-*,AGPL-3.0" --warn "LGPL-*"

kirograph licenses --format json

kirograph manifest

Parses and displays all dependency manifest files found in the project (npm, Cargo, Go modules, Python, Maven, Gradle), along with package versions, licenses, and any version drift across manifests in a monorepo.

Flags

FlagDescription
--package <name>Drill into a specific package (partial name match)
--ecosystem <lang>Filter by ecosystem: npm, cargo, go, python, maven, gradle
--driftShow only packages with version drift across manifests

Examples

kirograph manifest

# Inspect a specific package
kirograph manifest --package lodash

# Show only npm packages with version drift
kirograph manifest --ecosystem npm --drift

kirograph vuln suppress / kirograph vuln unsuppress / kirograph vuln suppressions

Suppresses a CVE to mark it as a false positive or accepted risk. Suppressions are stored in .kirograph/suppressions.json and are respected by kirograph vulns and kirograph security ci-report. Use kirograph vuln suppressions to list all active suppressions.

Flags for vuln suppress

FlagDescription
--reason <text>Reason for the suppression
--expires <date>Expiry date in ISO format (e.g. 2026-12-31)

Flags for vuln suppressions

FlagDescriptionDefault
--format <fmt>table | jsontable

Examples

# Suppress a CVE with a reason
kirograph vuln suppress CVE-2024-1234 --reason "Not reachable in our deployment"

# Suppress with an expiry date
kirograph vuln suppress CVE-2024-5678 --reason "Accepted risk" --expires 2025-12-31

# Lift a suppression
kirograph vuln unsuppress CVE-2024-1234

# List all active suppressions
kirograph vuln suppressions

# JSON output
kirograph vuln suppressions --format json

kirograph remediation

Tracks remediation SLA: shows how long each vulnerability has been open, whether a fix version is available, and whether the fix is overdue based on severity-defined SLA thresholds.

Flags

FlagDescriptionDefault
--overdue-onlyShow only overdue itemsfalse
--format <fmt>table | jsontable

Examples

kirograph remediation

# Only overdue items
kirograph remediation --overdue-only

kirograph remediation --format json

Command summary

CommandRequiresKey flags
kirograph security [path]enableSecurity--refresh-staleness, --fail-on
kirograph vulns [path]enableSecurity--severity, --verdict, --epss, --refresh, --fail-on
kirograph reachability <target>enableSecurity
kirograph attack-surface [path]enableSecurity--limit, --public-only, --format
kirograph security secrets [path]enableSecurity--include-tests, --severity, --format
kirograph security flows [path]enableSecurity--type, --format
kirograph sbom [path]enableSecurity--output
kirograph vex [path]enableSecurity--output
kirograph security export [path]enableSecurity--output, --open
kirograph security ci-report [path]enableSecurity--format, --fail-on, --output
kirograph supply-chain [path]enableSecurity--threshold, --refresh, --format
kirograph dep-confusion [path]enableSecurity--format
kirograph staleness [path]enableSecurity--threshold, --refresh, --format
kirograph licenses [path]enableSecurity--policy, --deny, --warn, --format
kirograph manifest [path]--package, --ecosystem, --drift
kirograph vuln suppress <cveId>enableSecurity--reason, --expires
kirograph vuln unsuppress <cveId>enableSecurity
kirograph vuln suppressionsenableSecurity--format
kirograph remediation [path]enableSecurity--overdue-only, --format

Build docs developers (and LLMs) love