Working with scans
The Tidelift API allows you to create a scan as a part of your continuous integration process so that you can block builds that are using packages that don't meet the standards of your organization. Using the Tidelift CLI can help you to avoid needing to write your own integration code to call our API and instead have a simple binary to call.
If you are using a catalog, a scan is a permanent snapshot of catalog alignment. Otherwise, scans identify issues as specified in your open source policy. In both cases, a scan can be used with CI/CD to block builds and generates a webpage with a recommended path forward.
You can start a scan of your project using the following steps. (Note: If you are using the GitHub integration, initiating scans from CLI is not available.)
- To initiate a catalog scan, you will need to have a project API key to authenticate to the API. (Note: User API Keys cannot be used for this command.)
- From your project's root directory, use
tidelift scan --dry-run. The --dry-run flag shows which supported package files we automatically identified. If these files do not look right, you can also specify the correct package files as arguments (eg.
tidelift scan --wait package.json package-lock.json)
- Start the scan by running
tidelift scan --wait, along with package files listed if necessary.
- When the scan completes, you will receive a Scan Details URL with more information about the status of the scan.
If you do not use the the
--wait flag, the command will start the scan but not wait until it completes. You can check the status of a scan later by using