Documentation

CLI reference, usage examples, and integration guides.

Quick Start

Install

# From GitHub releases (recommended) $ curl -fsSL https://github.com/bentheautomator/supplyify/releases/latest/download/supplyify-$(uname -s | tr A-Z a-z)-$(uname -m | sed 's/aarch64/arm64/;s/x86_64/amd64/') \ -o /usr/local/bin/supplyify && chmod +x /usr/local/bin/supplyify # From source $ cargo install --git https://github.com/bentheautomator/supplyify

Commands

Command	Purpose
`supplyify scan <path>`	Scan a single project (all detection layers)
`supplyify sweep <dir>`	Find and scan all projects under a directory
`supplyify check <pkg@ver>`	Quick lookup — is this version known-bad?
`supplyify indicators`	Show indicator database stats
`supplyify update`	Pull latest indicators from remote feed

Flags

Flag	Effect
`--no-osv`	Skip OSV.dev online lookup (fully offline)
`--no-heuristics`	Skip Layer 2 heuristics
`-f json`	JSON output
`-f agent`	Pipe-delimited output for LLM consumption
`-o <file>`	Write output to file
`--parallel N`	Set worker count for sweep mode
`--check-update`	Check for newer supplyify version

Exit Codes

Code	Meaning
`0`	Clean — no findings
`1`	Critical or high severity findings
`2`	Medium or low findings only
`3`	Scan error

CI/CD Integration

Use exit codes to fail builds on supply chain threats:

# GitHub Actions example - name: Supply chain check run: supplyify scan . || exit 1

Custom Indicators

Create ~/.config/supplyify/indicators.toml:

[meta] version = "2026-04-01" sources = ["custom"] [[malicious_version]] ecosystem = "npm" package = "suspicious-pkg" version = "1.0.0" severity = "critical" description = "Known malicious package" date = "2026-04-01"

Detection Layers

Layer	What	Speed	Network
1a: Indicators	Known malicious versions, packages, C2 infrastructure	~3ms	No
1b: OSV.dev	Google's open vulnerability database (80K+ advisories)	~500ms	Yes
2: Heuristics	Postinstall script analysis, version anomalies	~100ms	No