CLI Reference
cve-lite [path] [options]
cve-lite overrides [path] [options]
cve-lite advisories sync [options]
cve-lite config <set|unset|show> [key] [value]
cve-lite install-skill
path defaults to the current directory if omitted.
Scan options
| Flag | Default | Description | Example |
|---|---|---|---|
--prod-only | off | Exclude dev dependencies from the scan | cve-lite . --prod-only |
--min-severity | medium | Only show findings at or above this severity (critical, high, medium, low) | cve-lite . --min-severity high |
--all | off | Show all findings including low and unknown; appends a full table in compact mode | cve-lite . --all |
--search-depth | 4 | How many directory levels deep to search for a lockfile | cve-lite . --search-depth 2 |
--batch-size | 100 | Number of packages sent per OSV API request | cve-lite . --batch-size 50 |
Output options
| Flag | Default | Description | Example |
|---|---|---|---|
--verbose | off | Full output: severity table, fix plan, findings table, coverage notes | cve-lite . --verbose |
--json | off | Machine-readable JSON output (suppresses all other output) | cve-lite . --json |
--sarif | off | Write SARIF 2.1.0 output to a timestamped .sarif file; can be combined with --json and --report | cve-lite . --sarif |
--cdx | off | Write CycloneDX 1.4 SBOM to a timestamped .cdx.json file; can be combined with --json and --sarif; cannot be combined with --report | cve-lite . --cdx |
--report[=<path>] | off / ./cve-report | Generate an HTML report; optional path sets output directory (default ./cve-report); opens in browser by default; cannot be used with --json | cve-lite . --reportcve-lite . --report ./reports |
--no-open | off | Generate the HTML report without opening it in the browser | cve-lite . --report --no-open |
Offline options
| Flag | Default | Description | Example |
|---|---|---|---|
--offline | off | Use the local advisory DB only — no OSV API calls | cve-lite . --offline |
--offline-db=<path> | auto | Path to a specific advisory DB file | cve-lite . --offline-db ./advisories.db |
Sync the local advisory DB with:
cve-lite advisories sync
cve-lite advisories sync --output ./advisories.db # write to a specific path
See Offline Advisory DB for the full offline workflow.
Network / SSL options
| Flag | Default | Description | Example |
|---|---|---|---|
--ca-cert=<path> | - | Path to a PEM CA certificate file for corporate SSL inspection proxies | cve-lite . --ca-cert ~/corp-ca.crt |
--osv-url=<url> | OSV API | Use a custom OSV-compatible endpoint instead of the public API (HTTPS only, public IPs only by default) | cve-lite . --osv-url https://osv.example.com |
--allow-private-osv-url | off | Allow --osv-url to resolve to private/reserved IPs (RFC 1918, loopback, link-local) for internal mirrors | cve-lite . --osv-url https://internal-mirror.local/osv --allow-private-osv-url |
Security note: The --osv-url flag enforces HTTPS and blocks private/reserved IP ranges by default to prevent SSRF attacks. Use --allow-private-osv-url only when connecting to trusted internal mirrors.
For networks with SSL inspection, save the certificate path once so you do not need to pass the flag on every scan:
cve-lite config set ca-cert /path/to/corporate-ca.crt
See Corporate SSL Proxy for the full setup workflow.
CI / Automation options
| Flag | Default | Description | Example |
|---|---|---|---|
--fail-on | critical | Exit with code 1 if any finding meets or exceeds this severity (critical, high, medium, low); exit 0 otherwise | cve-lite . --fail-on high |
--fix | off | Auto-apply direct-dependency fix commands (direct deps only, v1); cannot be used with --json | cve-lite . --fix |
--check-overrides | off | Audit overrides and resolutions entries as part of the scan (OA001-OA008); results appear in the scan output | cve-lite . --check-overrides |
--usage | off | Scan source files to detect which packages are actually imported | cve-lite . --usage |
--only-used | off | Show only findings for packages that are imported in source code (implies --usage) | cve-lite . --only-used |
Note: --usage-hints is a deprecated alias for --usage.
See Workflow Integration for CI/CD patterns and GitHub Actions templates.
Override hygiene options
--check-overrides adds override auditing to a regular scan. For a dedicated override-only run, use the overrides subcommand:
cve-lite overrides [path] [options]
path defaults to the current directory if omitted.
| Flag | Default | Description | Example |
|---|---|---|---|
--check-network | off | Enable network checks for OA007 (frozen latest) | cve-lite overrides . --check-network |
--fix | off | Auto-fix override issues where possible | cve-lite overrides . --fix |
--json | off | Machine-readable JSON output | cve-lite overrides . --json |
--rule=<id> | all | Run only a specific rule (e.g. OA001, OA007) | cve-lite overrides . --rule=OA007 |
--fail-on | off | Exit with code 1 if any override finding is at or above this severity | cve-lite overrides . --fail-on high |
--audit-log=<path> | - | Write a JSONL audit log of all findings to the specified path | cve-lite overrides . --audit-log ./overrides.jsonl |
See the Override Hygiene Auditing guide for the full rule reference (OA001-OA008), per-rule examples, and CI patterns.
Cache options
| Flag | Default | Description | Example |
|---|---|---|---|
--cache-dir=<path> | ~/.cache/cve-lite | Use a specific directory for the advisory response cache | cve-lite . --cache-dir ./.cache |
--no-cache | — | Skip the query cache and fetch fresh results from OSV for this scan | cve-lite . --no-cache |
To clear the cache manually, delete ~/.cache/cve-lite/osv-vulns.json. The next scan will re-fetch advisories from OSV.
Query cache entries expire after 30 minutes. Use --no-cache to force a fresh query immediately without waiting for the TTL. See the Caching guide for full details including false negative and false positive risk.
Other commands
config
cve-lite config set ca-cert <path> # Save a CA certificate path
cve-lite config unset ca-cert # Remove the saved CA certificate path
cve-lite config show # Print current config and config file location
Manages persistent CLI configuration stored in ~/.cve-lite-cli/config.json. Currently supports one key:
| Key | Description |
|---|---|
ca-cert | Path to a PEM CA certificate for corporate SSL inspection proxies |
The file must be a valid PEM certificate (starting with -----BEGIN CERTIFICATE-----). CVE Lite CLI validates the file exists and is readable before saving.
See Corporate SSL Proxy for the full workflow.
install-skill
cve-lite install-skill
Writes AI assistant skill files into the current project directory for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot. Commit the generated files to share them with your team.
See the AI Assistant Integration guide for the full workflow.