← Back to blog

Getting Started with OtterSight CLI — Your First Dependency Scan in 30 Seconds

Install the OtterSight CLI, scan your project for vulnerabilities, and get a security report with SBOM, CVE, EPSS, and KEV data.

CLItutorialgetting-startedSBOMscanning

The OtterSight CLI runs a full software composition analysis (SCA) scan on any project in under a minute. This tutorial walks you from zero to your first vulnerability report.

Prerequisites

  • Node.js 18+ (for npx @ottersight/cli)
  • Docker (the CLI uses Syft and Grype as container images for scanning)

Check your versions:

node --version   # should be >= 18
docker --version # any recent version

If you don’t have Docker, install Docker Desktop (Mac/Windows) or Docker Engine (Linux).

Your First Scan

Navigate to any project directory and run:

npx @ottersight/cli scan .

That’s it. No account required, no signup, no API key. The first run pulls the Syft and Grype container images (a few hundred MB — subsequent runs are fast), then scans your project.

You’ll see a live progress display as the scan runs:

Generating SBOM with Syft...     [████████████████████] done
Scanning for vulnerabilities...  [████████████████████] done
Enriching with EUVD + KEV...    [████████████████████] done

Reading the Output

The terminal output shows a color-coded vulnerability table:

VULNERABILITY REPORT — my-project
─────────────────────────────────────────────────────
Package              Version  CVE              Severity  EPSS    KEV
─────────────────────────────────────────────────────
lodash               4.17.20  CVE-2021-23337   HIGH      0.23%   No
minimist             1.2.5    CVE-2021-44906   CRITICAL  0.41%   No
axios                0.21.1   CVE-2021-3749    HIGH      0.18%   No
─────────────────────────────────────────────────────
3 vulnerabilities (1 critical, 2 high)

Column guide:

  • Package: The affected dependency
  • Version: The version you have installed
  • CVE: The vulnerability identifier
  • Severity: CRITICAL / HIGH / MEDIUM / LOW based on CVSS score
  • EPSS: Probability of exploitation in the next 30 days (lower is better)
  • KEV: Whether CISA has listed this as a Known Exploited Vulnerability

If a vulnerability has EUVD data from the EU Vulnerability Database, you’ll see an [EU] badge next to the CVE identifier — especially relevant for organizations subject to NIS2 compliance.

What Happens Under the Hood

When you run npx @ottersight/cli scan ., three things happen in sequence:

1. SBOM Generation (Syft)

Syft analyzes your project files — package-lock.json, Cargo.lock, go.sum, requirements.txt, and 20+ other manifest formats — and produces a CycloneDX SBOM listing every component and its version.

2. CVE Scanning (Grype)

Grype takes the SBOM and matches each component against multiple vulnerability databases: NVD, GitHub Security Advisories (GHSA), and OSV. This produces a list of CVE identifiers with base CVSS scores.

3. Enrichment (EUVD + KEV + EPSS)

OtterSight enriches each CVE with:

  • EUVD data: checks the ENISA EU Vulnerability Database for European context
  • KEV flag: checks CISA’s Known Exploited Vulnerabilities catalog
  • EPSS score: fetches the current exploitation probability from FIRST.org

This enrichment step is what makes the output actionable, not just a raw list of CVE numbers.

Exporting Reports

Markdown Export

Generate a markdown report for your documentation or pull request:

npx @ottersight/cli scan . --format markdown > security-report.md

The markdown output includes the same vulnerability table in a format that renders cleanly on GitHub, GitLab, and in any markdown viewer.

JSON Export

For integration with other tools or CI pipelines:

npx @ottersight/cli scan . --format json > scan-results.json

The JSON output includes the full SBOM, all vulnerability data, EPSS scores, KEV flags, and EUVD records. It follows a consistent schema that you can parse or feed into your own tooling.

Using OtterSight in CI/CD

Add a scan step to your GitHub Actions workflow:

name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Run OtterSight scan
        run: npx @ottersight/cli scan . --format json > scan-results.json
      - name: Upload scan results
        uses: actions/upload-artifact@v4
        with:
          name: security-scan
          path: scan-results.json

For a harder gate that fails the build on critical vulnerabilities, add --fail-on critical (coming in a future release).

Docker Usage

If you prefer to run the CLI without installing Node.js:

docker run --rm \
  -v $(pwd):/project \
  -v /var/run/docker.sock:/var/run/docker.sock \
  ghcr.io/ottersight/cli:latest scan /project

Note: the Docker socket mount is required because the CLI itself launches Syft and Grype as containers internally.

What’s Next: OtterSight Cloud

The CLI gives you on-demand scanning — great for local development and CI pipelines. But there are things it can’t do well:

  • Scheduled scans: automatically scan your repos every night and alert you to new vulnerabilities
  • Dashboard: see your security posture across all repos in one view
  • Historical tracking: watch your vulnerability count change over time
  • Team notifications: route alerts to Slack, Discord, PagerDuty, email, and 300+ other channels
  • SBOM storage: keep an audit trail of SBOMs for CRA compliance

That’s what OtterSight Cloud is for. It runs the same @ottersight/cli scan engine, adds scheduling and a dashboard on top, and stores everything securely on EU servers (Hetzner Germany) for GDPR compliance.

Join the Waitlist

OtterSight Cloud is launching soon. Become a Founding Member — €5/mo locked forever, 15 repos, 100 spots only.

ottersight.com/founding

In the meantime, the CLI is live on npm:

npm install -g @ottersight/cli
ottersight scan .

Questions or issues? Open a GitHub issue — we respond fast.