@herodevs/cli
Terms and Data Security
- HeroDevs End of Life Dataset Terms of Service and Data Policy
- HeroDevs End of Life Dataset Data Privacy and Security
Prerequisites
- Install node v20 or higher: Download Node
- The HeroDevs CLI expects that you have all required technology installed for the project that you are running the CLI against
- For example, if you are running the CLI against a Gradle project, the CLI expects you to have Java installed.
Installation methods
Node Package Execute (NPX)
With Node installed, you can run the CLI directly from the npm registry without installing it globally or locally on your system
npx @herodevs/cli@beta
Global NPM Installation
npm install -g @herodevs/cli@beta
Binary Installation
HeroDevs CLI is available as a binary installation, without requiring npm. To do that, you may either download and run the script manually, or use the following cURL or Wget command:
curl -o- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.14/scripts/install.sh | bash
wget -qO- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.14/scripts/install.sh | bash
Scanning Behavior
The CLI is designed to be non-invasive:
- It does not install dependencies or modify package manager files (package-lock.json, yarn.lock, etc.)
- It analyzes the project in its current state
Installing Dependencies Before Use
Some projects and ecosystems require projects to have dependencies installed already, to achieve an accurate scan result. It is highly recommended that you install all dependencies of your project to your working directory, before running a scan on your project, to ensure scan accuracy.
Java Users
Maven and Gradle projects should run an install and build before scanning
Usage
$ npm install -g @herodevs/cli@beta
$ hd COMMAND
running command...
$ hd (--version)
@herodevs/cli/2.0.0-beta.14 darwin-arm64 node-v24.10.0
$ hd --help [COMMAND]
USAGE
$ hd COMMAND
...
Commands
hd help [COMMAND]hd report committershd scan eolhd tracker inithd update [CHANNEL]- NOTE: Only applies to binary installation method. NPM users should use
npm installto update to the latest version.
- NOTE: Only applies to binary installation method. NPM users should use
hd help [COMMAND]
Display help for hd.
USAGE
$ hd help [COMMAND...] [-n]
ARGUMENTS
[COMMAND...] Command to show help for.
FLAGS
-n, --nested-commands Include all nested commands in the output.
DESCRIPTION
Display help for hd.
See code: @oclif/plugin-help
hd report committers
Generate report of committers to a git repository
USAGE
$ hd report committers [--json] [-x <value>...] [-d <value>] [--monthly] [-m <value> | -s <value> | -e <value> | | ]
[-c] [-s]
FLAGS
-c, --csv Output in CSV format
-d, --directory=<value> Directory to search
-e, --afterDate=<value> [default: 2024-11-19] Start date (format: yyyy-MM-dd)
-m, --months=<value> [default: 12] The number of months of git history to review. Cannot be used along beforeDate
and afterDate
-s, --beforeDate=<value> [default: 2025-11-19] End date (format: yyyy-MM-dd)
-s, --save Save the committers report as herodevs.committers.<output>
-x, --exclude=<value>... Path Exclusions (eg -x="./src/bin" -x="./dist")
--json Output to JSON format
--monthly Break down by calendar month.
DESCRIPTION
Generate report of committers to a git repository
EXAMPLES
$ hd report committers
$ hd report committers --csv -s
$ hd report committers --json
$ hd report committers --csv
See code: src/commands/report/committers.ts
hd scan eol
Scan a given SBOM for EOL data
USAGE
$ hd scan eol [--json] [-f <value> | -d <value>] [-s] [-o <value>] [--saveSbom] [--sbomOutput <value>]
[--saveTrimmedSbom] [--hideReportUrl] [--version]
FLAGS
-d, --dir=<value> [default: <current directory>] The directory to scan in order to create a cyclonedx SBOM
-f, --file=<value> The file path of an existing SBOM to scan for EOL (supports CycloneDX and SPDX 2.3 formats)
-o, --output=<value> Save the generated report to a custom path (defaults to herodevs.report.json when not
provided)
-s, --save Save the generated report as herodevs.report.json in the scanned directory
--hideReportUrl Hide the generated web report URL for this scan
--saveSbom Save the generated SBOM as herodevs.sbom.json in the scanned directory
--saveTrimmedSbom Save the trimmed SBOM as herodevs.sbom-trimmed.json in the scanned directory
--sbomOutput=<value> Save the generated SBOM to a custom path (defaults to herodevs.sbom.json when not provided)
--version Show CLI version.
GLOBAL FLAGS
--json Format output as json.
DESCRIPTION
Scan a given SBOM for EOL data
EXAMPLES
Default behavior (no command or flags specified)
$ hd
Equivalent to
$ hd scan eol --dir .
Skip SBOM generation and specify an existing file
$ hd scan eol --file /path/to/sbom.json
Save the report or SBOM to a file
$ hd scan eol --save --saveSbom
Save the report and SBOM to custom paths
$ hd scan eol --dir . --save --saveSbom --output ./reports/my-report.json --sbomOutput ./reports/my-sbom.json
Output the report in JSON format (for APIs, CI, etc.)
$ hd scan eol --json
See code: src/commands/scan/eol.ts
hd tracker init
Initialize the tracker configuration
USAGE
$ hd tracker init [--force -o] [-d <value>] [-f <value>] [-i <value>...]
FLAGS
-d, --outputDir=<value> [default: hd-tracker] Output directory for the tracker configuration file
-f, --configFile=<value> [default: config.json] Filename for the tracker configuration file
-i, --ignorePatterns=<value>... [default: node_modules] Ignore patterns to use for the tracker configuration file
-o, --overwrite Overwrites the tracker configuration file if it exists
--force Force tracker configuration file creation. Use with --overwrite flag
DESCRIPTION
Initialize the tracker configuration
EXAMPLES
$ hd tracker init
$ hd tracker init -d trackerDir
$ hd tracker init -d trackerDir -f configFileName
$ hd tracker init -i node_modules
$ hd tracker init -i node_modules -i custom_modules
$ hd tracker init -o
See code: src/commands/tracker/init.ts
hd update [CHANNEL]
update the hd CLI
- NOTE: Only applies to binary installation method. NPM users should use
npm installto update to the latest version.
USAGE
$ hd update [CHANNEL] [--force | | [-a | -v <value> | -i]] [-b ]
FLAGS
-a, --available See available versions.
-b, --verbose Show more details about the available versions.
-i, --interactive Interactively select version to install. This is ignored if a channel is provided.
-v, --version=<value> Install a specific version.
--force Force a re-download of the requested version.
DESCRIPTION
update the hd CLI
EXAMPLES
Update to the stable channel:
$ hd update stable
Update to a specific version:
$ hd update --version 1.0.0
Interactively select version:
$ hd update --interactive
See available versions:
$ hd update --available
See code: @oclif/plugin-update
CI/CD Usage
You can use @herodevs/cli in your CI/CD pipelines to automate EOL scanning.
Using the Docker Image (Recommended)
We provide a Docker image that's pre-configured to run EOL scans. Based on cdxgen,
it contains build tools for most project types and will provide best results when generating an SBOM. Use these templates to generate a report and save it to your CI job artifact for analysis and processing after your scan runs.
Note: There is a potential to run into permission issues writing out the report to your CI runner. Please ensure that your CI runner is setup to have proper read/write permissions for wherever your output files are being written to.
GitHub Actions
## .github/workflows/herodevs-eol-scan.yml
name: HeroDevs EOL Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
scan:
runs-on: ubuntu-latest
environment: demo
steps:
- name: Checkout repository
uses: actions/checkout@v5
- name: Run EOL Scan
run: |
docker run --name eol-scanner \
-v $GITHUB_WORKSPACE:/app \
-w /app \
ghcr.io/herodevs/eol-scan --save --output /tmp/herodevs.report.json
docker cp eol-scanner:/tmp/herodevs.report.json ${{ runner.temp }}/herodevs.report.json
docker rm eol-scanner
- name: Upload artifact
uses: actions/upload-artifact@v5
with:
name: my-eol-report
path: ${{ runner.temp }}/herodevs.report.json
GitLab CI/CD
eol-scan:
image:
name: "ghcr.io/herodevs/eol-scan"
# Entrypoint or base command must be disabled due
# to GitLab's execution mechanism and run manually
entrypoint: [""]
script: "npx @herodevs/cli@beta scan eol -s"
artifacts:
paths:
- herodevs.report.json
Using npx in CI
You can use npx to run the CLI in your CI pipeline, just like you would run it locally.
!NOTE The development environment is expected to be ready to run the app. For best results, prefer using the prebuilt image, but otherwise, prepare all requirements before the scan step.
GitHub Actions
## .github/workflows/herodevs-eol-scan.yml
name: HeroDevs EOL Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v6
with:
node-version: '24'
- run: echo # Prepare environment, install tooling, perform setup, etc.
- name: Run EOL Scan
run: npx @herodevs/cli@beta scan eol
- name: Upload artifact
uses: actions/upload-artifact@v5
with:
name: my-eol-report
path: herodevs.report.json
GitLab CI/CD
image: alpine
eol-scan:
script:
- echo # Prepare environment, install tooling, perform setup, etc.
- npx @herodevs/cli@beta scan eol -s
artifacts:
paths:
- herodevs.report.json
Local Docker image scans
The same pre-configured image can be pulled locally to scan in an optimized environment. Mount your code
to /app or a specified working directory to perform the scan:
docker run -v "$PWD":/app ghcr.io/herodevs/eol-scan