CLI Reference
cve-lite [path] [options]
cve-lite advisories sync [options]
path defaults to the current directory if omitted.
Scan options
| Flag | Default | Description | Example |
|---|---|---|---|
--prod-only | off | Exclude dev dependencies from the scan | cve-lite . --prod-only |
--min-severity | medium | Only show findings at or above this severity (critical, high, medium, low) | cve-lite . --min-severity high |
--all | off | Show all findings including low and unknown; appends a full table in compact mode | cve-lite . --all |
--search-depth | 4 | How many directory levels deep to search for a lockfile | cve-lite . --search-depth 2 |
--batch-size | 100 | Number of packages sent per OSV API request | cve-lite . --batch-size 50 |
Output options
| Flag | Default | Description | Example |
|---|---|---|---|
--verbose | off | Full output: severity table, fix plan, findings table, coverage notes | cve-lite . --verbose |
--json | off | Machine-readable JSON output (suppresses all other output) | cve-lite . --json |
--report[=<path>] | off / ./cve-report | Generate an HTML report; optional path sets output directory (default ./cve-report); opens in browser by default; cannot be used with --json | cve-lite . --reportcve-lite . --report ./reports |
--no-open | off | Generate the HTML report without opening it in the browser | cve-lite . --report --no-open |
Offline options
| Flag | Default | Description | Example |
|---|---|---|---|
--offline | off | Use the local advisory DB only — no OSV API calls | cve-lite . --offline |
--offline-db=<path> | auto | Path to a specific advisory DB file | cve-lite . --offline-db ./advisories.db |
--osv-url=<url> | OSV API | Use a custom OSV-compatible endpoint instead of the public API | cve-lite . --osv-url https://osv.example.com |
Sync the local advisory DB with:
cve-lite advisories sync
cve-lite advisories sync --output ./advisories.db # write to a specific path
See Offline Advisory DB for the full offline workflow.
CI / Automation options
| Flag | Default | Description | Example |
|---|---|---|---|
--fail-on | critical | Exit with code 1 if any finding meets or exceeds this severity (critical, high, medium, low); exit 0 otherwise | cve-lite . --fail-on high |
--fix | off | Auto-apply direct-dependency fix commands (direct deps only, v1); cannot be used with --json | cve-lite . --fix |
--usage | off | Scan source files to detect which packages are actually imported | cve-lite . --usage |
--only-used | off | Show only findings for packages that are imported in source code (implies --usage) | cve-lite . --only-used |
Note: --usage-hints is a deprecated alias for --usage.
See Workflow Integration for CI/CD patterns and GitHub Actions templates.
Cache options
| Flag | Default | Description | Example |
|---|---|---|---|
--cache-dir=<path> | OS temp dir | Use a specific directory for the advisory response cache | cve-lite . --cache-dir ./.cache |