Skip to main content

Command Line Options

Complete reference for all PySentry command line options.

General Options

OptionDescriptionDefault
[PATH]Path to project directoryCurrent directory
--formatOutput format: human, json, sarif, markdownhuman
-o, --outputOutput file pathstdout
-v, --verboseIncrease verbosity: -v (warn), -vv (info), -vvv (debug), -vvvv (trace)error level
-q, --quietSuppress all outputfalse
--colorColor output: auto, always, never. auto respects NO_COLOR, FORCE_COLOR, CI, and terminal detectionauto
--configCustom configuration file pathAuto-discovered
--no-configDisable configuration file loadingfalse
--include-withdrawnInclude withdrawn vulnerabilitiesfalse
--helpDisplay help information-
--versionDisplay version information-

Filtering Options

OptionDescriptionDefault
--severityDeprecated (will be removed in v0.5). Minimum severity to display in reportlow
--fail-onFail (exit non-zero) on vulnerabilities >= severitymedium
--sourcesVulnerability sources: pypa, pypi, osv (multiple)pypa,pypi,osv
--exclude-extraExclude extra dependencies (dev, optional, etc)false
--direct-onlyCheck only direct dependenciesfalse
--detailedShow full vulnerability descriptions (summary + full text)false
--compactCompact output: summary line + one-liner per vulnerability, no descriptions or fix suggestionsfalse
--displayOutput display style: text or table. Applies to compact mode onlytable
--no-fail-on-unknownDon't fail on vulnerabilities with unknown severityfalse

::: note --compact and --detailed are mutually exclusive. Using both together will cause an error. :::

note

--severity is a post-hoc display filter only. It never affects which vulnerabilities are evaluated against --fail-on. For example, with --severity high --fail-on medium, medium+ vulnerabilities are still evaluated for exit-code purposes, but only high+ are shown in the report. Use --fail-on to control exit behavior; --severity will be removed in v0.5.

Ignore Options

OptionDescriptionDefault
--ignoreVulnerability IDs to ignore (repeatable)[]
--ignore-while-no-fixIgnore vulnerabilities only while no fix is available[]

Cache Options

OptionDescriptionDefault
--no-cacheDisable all cachingfalse
--cache-dirCustom cache directoryPlatform-specific
--resolution-cache-ttlResolution cache TTL in hours24
--no-resolution-cacheDisable resolution caching onlyfalse
--clear-resolution-cacheClear resolution cache on startupfalse

Resolver Options

OptionDescriptionDefault
--resolverDependency resolver: uv, pip-toolsuv
--requirements-filesSpecific requirements files to audit (disables auto-discovery, repeatable)[]

Maintenance Options

OptionDescriptionDefault
--no-maintenance-checkDisable PEP 792 project status checksfalse
--forbid-archivedFail on archived packagesfalse
--forbid-deprecatedFail on deprecated packagesfalse
--forbid-quarantinedFail on quarantined packages (malware/compromised)true
--forbid-unmaintainedFail on any unmaintained packagesfalse
--maintenance-direct-onlyOnly check direct dependencies for maintenance statusfalse

CI Options

OptionDescriptionDefault
--no-ci-detectDisable automatic CI environment detectionfalse

Subcommands

Config Subcommand

pysentry config <COMMAND>
CommandDescription
initGenerate a configuration file
showDisplay current configuration
validateValidate configuration file
pathShow configuration file path

Config Init Options

pysentry config init [OPTIONS]
OptionDescription
-o, --outputOutput file path (default: stdout)
--forceOverwrite existing configuration file
--minimalGenerate minimal configuration with only essential options

Resolvers Subcommand

Check available dependency resolvers:

pysentry resolvers

Shows which resolvers (uv, pip-tools) are installed and available for requirements resolution.

Check-Version Subcommand

Check for newer PySentry versions:

pysentry check-version

Compares installed version with the latest available release.

Usage Examples

Basic Scanning

# Scan current directory
pysentry

# Scan specific project
pysentry /path/to/project

# Scan with JSON output
pysentry --format json --output results.json

Filtering

# Only fail on critical vulnerabilities
pysentry --fail-on critical

# Use specific vulnerability sources
pysentry --sources pypa --sources osv

Ignoring Vulnerabilities

# Ignore specific vulnerabilities
pysentry --ignore CVE-2023-12345 --ignore GHSA-xxxx-yyyy-zzzz

# Ignore vulnerabilities without fixes
pysentry --ignore-while-no-fix CVE-2025-8869

Cache Control

# Disable all caching
pysentry --no-cache

# Clear resolution cache before scanning
pysentry --clear-resolution-cache

# Use custom cache directory
pysentry --cache-dir /tmp/pysentry-cache

Requirements.txt

# Specify requirements files explicitly (disables auto-discovery)
pysentry --requirements-files requirements-dev.txt requirements-test.txt

# Force specific resolver
pysentry --resolver uv

Output Detail

# Default output: summary + one-liner per vulnerability + fix suggestions
pysentry

# Compact output with table layout (default)
pysentry --compact

# Compact output with traditional text layout
pysentry --compact --display text

# Detailed output: full vulnerability descriptions included
pysentry --detailed

Color Control

# Auto-detect colors from terminal (default)
pysentry --color auto

# Force colors even when piping to a file or CI
pysentry --color always

# Disable colors entirely (same effect as NO_COLOR=1)
pysentry --color never

Maintenance Checks

# Fail on quarantined packages only
pysentry --forbid-quarantined

# Fail on any unmaintained package
pysentry --forbid-unmaintained

# Check only direct dependencies
pysentry --forbid-unmaintained --maintenance-direct-only

CI/CD

# PySentry auto-detects GitHub Actions and emits native annotations
# No extra flags needed — just run pysentry

# Disable CI detection (run as if locally)
pysentry --no-ci-detect

# Don't fail on unknown severity vulnerabilities
pysentry --no-fail-on-unknown

Debugging

# Verbose output (warnings)
pysentry -v

# More verbose (info level)
pysentry -vv

# Debug output
pysentry -vvv

# Maximum verbosity (trace)
pysentry -vvvv