Developer Guides
How to integrate dependency security scanning into your workflow — from a one-off terminal command to automatic CI/CD blocking on critical CVEs.
Scan dependencies on every push — 4 ready-to-use workflow YAMLs
Catch CVEs before they enter your git history
Pipe any manifest into PackageFix with one command
Which guide is right for you?
If you want a quick one-off check right now — use the terminal one-liner. If you want to catch vulnerabilities before they reach production — add the GitHub Actions workflow. If you want to catch them before they even enter your git history — use pre-commit hooks.
Dependency security guides by workflow
Step-by-step guides for integrating dependency scanning into your development workflow — from pre-commit hooks to CI/CD pipelines and production monitoring.
GitHub Actions dependency scanning
Run npm audit, pip-audit, and bundler-audit automatically on every pull request. Includes complete workflow YAML for npm, PyPI, and Ruby projects.
Pre-commit dependency checks
Block commits that introduce vulnerable dependencies before they reach your repo. Includes pre-commit hook configuration for npm and Python projects.
Scanning by ecosystem
Each ecosystem has different tooling and conventions for dependency scanning. Choose your stack:
npm audit, overrides, lockfile scanning
pip-audit, safety, requirements.txt pinning
bundler-audit, Gemfile.lock, bundle update
composer audit, security advisories
govulncheck, go mod tidy
cargo audit, RustSec advisory database
OWASP dependency-check, Maven enforcer
CI/CD providers
Provider-specific guides for adding dependency scanning to your pipeline:
npm audit + pip-audit workflows
dependency scanning template
orb-based scanning setup
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser