Get Started
Get Started

Diver Instructions

Diver CLI

v0.2.1

Command-line interface for DepsDiver - analyze packages, repositories, users, and threat actors

Download v0.2.1

Checksums macOS ARM64 macOS x86_64 Linux ARM64 Linux x86_64 Windows ARM64 Windows x86_64

Verify Checksums

It is recommended to verify the checksum of the Diver binary to ensure the downloaded file has not been modified or tampered with.

Steps:

  1. Download the Diver binary for your platform and the corresponding checksum file.
  2. Ensure both files are in the same directory.
  3. Run the appropriate command for your operating system.

Using sha256sum:

sha256sum -c diver_0.2.1_checksums.txt --ignore-missing

If sha256sum is not available on macOS:

shasum -a 256 -c diver_0.2.1_checksums.txt --ignore-missing

PowerShell:

certutil -hashfile diver_v0.2.1_file.tar.gz SHA256

Compare the resulting hash with the corresponding entry in the checksum file.

Install

Download the appropriate archive for your platform and extract the diver binary:

tar -xvf diver_v0.2.0_Darwin_arm64.tar.gz

This will extract a diver executable into the current directory.

Getting Started

The following commands assume you are running diver from the directory where the binary was extracted.

Configure and Run Diver

Use command line flags to provide configuration directly when running diver:

./diver -u https://depsdiver.com/api -t <token>

Set environment variables once and run diver without repeating flags:

export DEPS_DIVER_API_TOKEN=<token>
export DEPS_DIVER_URL=https://depsdiver.com/api
./diver

Authentication to DepsDiver API

Currently diver supports API tokens, which can be generated in your DepsDiver account.

Generating DepsDiver Reports

DepsDiver supports generating reports for packages, repositories, users, and threat actors.

Package Reports

Single Package

Get a report for a single package:

./diver get go github.com/mailru/easyjson

where system is one of: go, npm, pypi, or maven

FOCI

Get FOCI data for a package:

./diver get fi npm:fast-glob

Package Data

Get detailed package metadata:

./diver get package npm:fast-glob

This command returns a repository ID, which can be used for repository-level reports.

Repository Reports

Commit Count

First, retrieve the repository ID from the package:

./diver get package npm:fast-glob

Then, get the commit count for the repository:

./diver get commit-count <REPO_ID>

OpenSSF Scorecard

Get the OpenSSF Scorecard for a repository:

./diver get scorecard <REPO_ID>

Releases

Get repository releases:

./diver get releases <REPO_ID>

Tags

Get repository tags:

./diver get tags <REPO_ID>

Threat Actor Reports

Get data for a threat actor by email or username:

./diver get threat-actor <email-or-username>

User Reports

Single User

First, retrieve the user ID from the threat-actor search:

./diver get threat-actor <email-or-username>

Then, get the user's data:

./diver get user <USER_ID>

Multiple Users from File

./diver get user file:file-of-user-ids.txt

Repository Users

Single Repository

./diver get users <REPO_ID>

Multiple Repositories from File

./diver get users file:file-of-repo-ids.txt

For more information, visit our DepsDiver product page

The Hunting Ground

Where the Wild Things Are: A Complete Analysis of Jia Tan’s GitHub History and the XZ Utils Software Supply Chain Breach

Hayden Smith

The following is a story about the recent XZ Utils security breach and how things came about. Formore context on the

View Article

Our Blog

Contributor Intelligence: Why People Behind the Code Matter More Than Ever

Hunted Labs

Vulnerabilities don’t show who controls your code. Contributor intelligence exposes hidden risks in open source supply chains.
View Article
Our Blog
Get Started
Get Started

Request A Demo

Fill out the form below so we can arrange a product demo for you.

    Request A Demo

    Fill out the form below so we can arrange a product demo for you.

    Thank You

    We have received your submission.