Analyze Command Reference

The analyze command builds a graph of the repository’s tech stack — including the cross-repo join keys that assemble an org-wide graph from independent single-repo scans — and reports metrics whose every number opens into the evidence that produced it.

See Analyze for what it does, and Authentication for the GitHub credentials it requires.

Usage

vulnetix analyze [path] [flags]

GitHub authentication is checked first

analyze verifies GitHub credentials before it scans anything, and stops if it cannot find any:

GitHub authentication: ok (chrislangton via gh CLI, 4,987/5,000 requests remaining)

Credentials are taken from GITHUB_TOKEN, then GH_TOKEN, then the gh CLI’s own store. Inside GitHub Actions the first of those is already set for you.

Pass --no-forge to skip it — the pull-request, review and issue metrics are then reported as not measured rather than zero. A repository whose remote is not GitHub skips the check automatically.

Flags

FlagDefaultDescription
--path.Directory to analyze. May also be given as the positional argument.
--window-days365How far back to walk history. Everything derived from history is relative to this, and the window is stamped on every metric that used it.
--max-commits20000Cap on commits walked. When it is hit, the report declares it rather than presenting a partial count as a whole one.
--complexity-threshold15Cyclomatic complexity at which a file counts as highly complex.
-o, --outputprettyTerminal output: pretty or json.
--output-file.vulnetix/analyze.report.jsonWhere to write the report.
--no-forgefalseSkip GitHub entirely.
--no-gitfalseSkip the history walk. Activity, contributor, ownership, coupling and trend metrics are then absent, not zero.
--no-filesfalseSkip the file, complexity and symbol passes.
--no-depsfalseSkip dependencies — and therefore the cross-repo package edges.
--no-trustfalseSkip the open-source policy checks.
--no-uploadfalseDo not submit the report. It is submitted automatically when you are authenticated to Vulnetix.

Examples

Analyze the current repository:

vulnetix analyze

In GitHub Actions, where GITHUB_TOKEN is already available:

permissions:
  contents: read
  pull-requests: read
  issues: read

jobs:
  analyze:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ github.token }}
      VULNETIX_ORG_ID: ${{ secrets.VULNETIX_ORG_ID }}
      VULNETIX_API_KEY: ${{ secrets.VULNETIX_API_KEY }}
    steps:
      - uses: actions/checkout@v5
      - name: Analyze
        run: vulnetix analyze

A faster pass over recent history only:

vulnetix analyze --window-days 90 --max-commits 500

Without any forge access — the graph, complexity, coupling, dependencies, policy and secrets still run:

vulnetix analyze --no-forge

Machine-readable output:

vulnetix analyze -o json | jq '.metrics[] | select(.family == "security")'

Exit codes

CodeMeaning
0The analysis completed.
1The analysis could not run — most often, no GitHub credentials and no --no-forge.

analyze does not fail on findings. A tool that fails your build by default is a tool that gets removed from your build.

The report

Written to .vulnetix/analyze.report.json and validated against the schema before it is written — a report we would reject on the way in is one we cannot produce on the way out.

Uploads go to /v2/cli.insights when authenticated, and are best-effort: a network failure does not fail the command, and the report on disk remains authoritative. The org graph in the console at /vdb-graph is assembled from those uploads.