depscore — Documentation

Installation

Requirements: Python 3.11 or later.

From Source

git clone https://github.com/jaredmladner/depscore.git
cd depscore
pip install .

With Dev Dependencies

pip install ".[dev]"

Verify Install

depscore --version
# depscore, version 0.1.0

Configuration

depscore reads configuration from environment variables. Copy .env.example to .env and fill in your credentials.

cp .env.example .env

⚠️ Important: Add credits to your Anthropic account before generating your API key. Keys created on a zero-balance account will continue to fail with a billing error even after credits are added later. Generate a fresh key after funding your account.

Variable	Required	Default	Description
GITHUB_TOKEN	Required	—	GitHub personal access token. Read-only scopes are sufficient.
ANTHROPIC_API_KEY	Required	—	Anthropic API key from console.anthropic.com. Not needed with `--no-ai`.
LIBRARIES_IO_API_KEY	Optional	—	Improves enrichment quality for dependency and SourceRank data.
DEPSCORE_AI_ENABLED	Optional	true	Set to `false` to disable AI scoring globally (same as `--no-ai`).
DEPSCORE_AI_BLEND_WEIGHT	Optional	0.6	AI layer weight (0.0–1.0). 0.0 = rules only, 1.0 = AI only.
DEPSCORE_CONCURRENCY_LIMIT	Optional	10	Max parallel dependency enrichments. Reduce if hitting rate limits.
DEPSCORE_REQUEST_TIMEOUT_SECONDS	Optional	30	HTTP timeout per API request in seconds.
DEPSCORE_MAX_RETRIES	Optional	3	Retry attempts on transient failures (429, 5xx).

CLI Reference

depscore scan

The primary command. Parses an SBOM, enriches all dependencies, scores them, and writes a report.

depscore scan [OPTIONS]

Options

Option	Type	Default	Description
--sbom PATH	Path	required	Path to the SBOM file (CycloneDX or SPDX JSON).
--format	Choice	auto	`cyclonedx`, `spdx`, or `auto`. Auto-detected from file content if omitted.
--output PATH	Path	./depscore-output	Directory to write report files into.
--html	Flag	false	Also generate an interactive HTML dashboard alongside the JSON report.
--no-ai	Flag	false	Skip AI scoring. Uses rules-based scoring only. No Anthropic key required.
--version	Flag	—	Print version and exit.
--help	Flag	—	Show help message and exit.

Examples

# Basic scan with JSON output
depscore scan --sbom ./sbom.json

# Scan with HTML dashboard
depscore scan --sbom ./sbom.json --html

# Explicit format, custom output directory
depscore scan --sbom ./sbom.json --format cyclonedx --output ./reports --html

# Rules-only mode (free, no Anthropic key needed)
depscore scan --sbom ./sbom.json --no-ai --html

Exit Codes

Code	Meaning
0	Success
1	Configuration error, SBOM parse failure, or scoring error
130	Interrupted (Ctrl+C)

SBOM Formats

CycloneDX JSON

depscore supports CycloneDX JSON (spec versions 1.4 and later). The file must contain a bomFormat: "CycloneDX" key. Components are parsed from the top-level components array with PURL and external references.

SPDX JSON

depscore supports SPDX JSON 2.3+. Packages are extracted from the packages array. External document references and externalRefs are used to resolve repository URLs and ecosystems.

Auto-Detection

When --format auto (the default), depscore inspects the file content: if it contains CycloneDX or bomFormat it uses the CycloneDX parser; otherwise it falls back to SPDX.

Generating SBOMs with Syft

Syft is the recommended tool for generating SBOMs.

# Install Syft (macOS)
brew install anchore/syft/syft

# Install Syft (Linux/macOS via curl)
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh

# Scan a directory → CycloneDX JSON
syft dir:. -o cyclonedx-json > sbom.json

# Scan a container image → SPDX JSON
syft ubuntu:latest -o spdx-json > sbom.spdx.json

# Then score it
depscore scan --sbom sbom.json --html

Scoring

Dimensions & Weights

Dimension	Weight	What it measures	Data sources
security_posture	35%	CVE history & severity, SECURITY.md, branch protection, signed commits, OpenSSF Scorecard	OSV, OpenSSF, GitHub
maintainability	30%	Commit recency & frequency, PR response time, bus factor	GitHub API
maturity	20%	Version stability, project age, release cadence, download adoption	PyPI, npm, Maven, NuGet, Libraries.io
community_health	15%	Contributor diversity, geographic/corporate concentration, SourceRank	GitHub, Libraries.io

Hybrid Scoring (Rules + AI)

depscore blends two scoring layers for each dependency:

Rules layer (40%) — deterministic math on raw metrics: days since last commit, CVE count, version prefix, release frequency, etc.
AI layer (60%) — claude-sonnet-4-6 receives all enriched signals and returns a score with written reasoning per dimension.

# Blend formula (per dimension)
final_score = (rules_score × 0.40) + (ai_score × 0.60)

The AI weight is configurable via DEPSCORE_AI_BLEND_WEIGHT. If AI scoring fails or --no-ai is used, depscore automatically falls back to rules-only scoring and flags "ai_available": false in the output.

Grade Thresholds

Grade	Score range	Interpretation
A	80 – 100	Low risk. Well-maintained, active, secure.
B	65 – 79	Acceptable. Minor concerns worth monitoring.
C	50 – 64	Moderate risk. Review and consider alternatives.
D	35 – 49	High risk. Actively investigate before use.
F	0 – 34	Critical risk. Remediate or replace immediately.

API Cost Estimates

AI scoring uses claude-sonnet-4-6, billed per token at Anthropic API rates.

Dependencies	Estimated cost
10 deps	~$0.03 – $0.05
50 deps	~$0.15 – $0.25
100 deps	~$0.30 – $0.50
500 deps	~$1.50 – $2.50

💡 Use --no-ai for zero AI cost. Rules-based scoring is free and deterministic, just less nuanced.

Output Formats

JSON Report

Written to <output-dir>/depscore-report.json. Contains the full scoring results for every dependency.

{
  "overall_sbom_score": 74.3,
  "overall_sbom_grade": "C",
  "total_dependencies": 42,
  "grade_distribution": { "A": 8, "B": 12, "C": 14, "D": 6, "F": 2 },
  "dimension_averages": {
    "security_posture": 65.1,
    "maintainability": 70.5,
    "maturity": 81.2,
    "community_health": 77.8
  },
  "scores": [
    {
      "dependency_name": "requests",
      "version": "2.31.0",
      "overall": 88.4,
      "overall_grade": "A",
      "security_posture": {
        "score": 74.0, "confidence": 0.85,
        "reasoning": "One high CVE in last 6 months despite strong security posture..."
      },
      "ai_available": true,
      "scored_at": "2026-04-06T14:00:00Z"
    }
  ],
  "generated_at": "2026-04-06T14:01:23Z",
  "depscore_version": "0.1.0"
}

HTML Dashboard

Generated when --html is passed. Written to <output-dir>/depscore-report.html.

Self-contained single file — no web server required, works offline
Overall SBOM score gauge and grade distribution chart
Per-dimension radar chart showing average scores
Sortable, filterable dependency table with score bars and grade badges
Per-dependency drill-down panel with CVE list, OpenSSF Scorecard checks, and Claude AI reasoning per dimension

Docker

Build

docker build -t depscore .

Run — JSON output

docker run --rm \
  -e GITHUB_TOKEN=$GITHUB_TOKEN \
  -e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
  -v /path/to/sbom.json:/sbom/sbom.json:ro \
  -v $(pwd)/report:/output \
  depscore scan --sbom /sbom/sbom.json --output /output

Run — HTML dashboard + rules-only

docker run --rm \
  -e GITHUB_TOKEN=$GITHUB_TOKEN \
  -v /path/to/sbom.json:/sbom/sbom.json:ro \
  -v $(pwd)/report:/output \
  depscore scan --sbom /sbom/sbom.json --output /output --html --no-ai

Mount your SBOM at /sbom/ (read-only) and collect output from /output/.

Environment Variables

Variable	Required	Notes
GITHUB_TOKEN	Required	GitHub personal access token
ANTHROPIC_API_KEY	Optional	Required unless using `--no-ai`
LIBRARIES_IO_API_KEY	Optional	Improves enrichment quality
DEPSCORE_AI_ENABLED	Optional	Default: `true`
DEPSCORE_AI_BLEND_WEIGHT	Optional	Default: `0.6`
DEPSCORE_CONCURRENCY_LIMIT	Optional	Default: `10`

FAQ

No. claude.ai (Pro/Team/Max) is a separate consumer product from the Anthropic API. depscore uses the Anthropic API, which requires a separate account and credit balance at console.anthropic.com. Minimum $5 to get started.

Yes. Pass --no-ai or set DEPSCORE_AI_ENABLED=false to run pure rules-based scoring at zero AI cost. You still need a GitHub token for enrichment.

CycloneDX JSON (1.4+) and SPDX JSON (2.3+). Format is auto-detected by default. Pass --format cyclonedx or --format spdx to override.

Use Syft: syft dir:. -o cyclonedx-json > sbom.json for a directory, or syft <image> -o cyclonedx-json > sbom.json for a container image. Trivy also works: trivy fs --format cyclonedx . > sbom.json.

Python (PyPI), JavaScript (npm), Java/JVM (Maven Central), and .NET (NuGet) have dedicated registry enrichers. Any dependency with a GitHub repository URL is enriched via GitHub, OSV, and OpenSSF Scorecard regardless of ecosystem.

Yes. The HTML file embeds all report data as an inline JSON blob and loads Chart.js from a CDN. Once the page has been opened in a browser (and CDN assets cached), it works fully offline. No web server is needed.

Claude receives all enriched signals for a dependency and returns a score (0–100) plus 1–3 sentences of written reasoning per dimension. For example: "One high-severity CVE in the last 6 months warrants attention despite security policy presence and branch protection; missing signed commits." This reasoning appears in the HTML drill-down panel and the JSON output.

Depends on SBOM size and API rate limits. Rough estimates: 10 deps ~15–30s · 50 deps ~1–2 min · 100 deps ~2–4 min. Controlled by DEPSCORE_CONCURRENCY_LIMIT (default 10 parallel enrichments). Use --no-ai to skip AI calls and cut time roughly in half.