Command Line Arguments

The following table lists the command line arguments:

Short	Argument Name	Parameter	Description	Requirement
	--project	<name>	The name of the project being scanned.	Optional
-s	--scan	<path>	The path to scan - this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. ‘directory/*/.jar’); if using an Ant style path it is highly recommended that you use single quotes around the path so that the shell itself does not automatically perform replacements (see issue #1812.	Required
	--exclude	<pattern>	The path patterns to exclude from the scan - this option can be specified multiple times. This accepts Ant style path patterns (e.g. /exclude/).	Optional
	--symLink	<depth>	The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed.	Optional
-o	--out	<path>	The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name.	Optional
-f	--format	<format>	The output format to write to (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be specified by specifying the parameter multiple times. The default is HTML.	Required
	--junitFailOnCVSS	<score>	If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. The default is 0.	Optional
	--prettyPrint		When specified the JSON and XML report formats will be pretty printed.	Optional
	--failOnCVSS	<score>	If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified.	Optional
-l	--log	<file>	The file path to write verbose logging information.	Optional
-n	--noupdate		Disables the automatic updating of the NVD-CVE, hosted-suppressions and RetireJS data.	Optional
	--suppression	<files>	The file paths to the suppression XML files; used to suppress false positives. This can be specified more than once to utilize multiple suppression files. The argument can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)	Optional
-h	--help		Print the help message.	Optional
	--advancedHelp		Print the advanced help message.	Optional
-v	--version		Print the version information.	Optional
	--enableExperimental		Enable the experimental analyzers. If not set the analyzers marked as experimental below will not be loaded or used.	Optional
	--enableRetired		Enable the retired analyzers. If not set the analyzers marked as retired below will not be loaded or used.	Optional

Advanced Options

Short	Argument Name	Parameter	Description	Default Value
	--nvdApiKey	<apiKey>	The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key
	--nvdApiEndpoint	<endpoint>	The NVD API endpoint URL; setting this is uncommon.	https://services.nvd.nist.gov/rest/json/cves/2.0
	--nvdMaxRetryCount	<count>	The maximum number of retry requests for a single call to the NVD API.	10
	--nvdApiDelay	<milliseconds>	The number of milliseconds to wait between calls to the NVD API.	3500 with an NVD API Key or 8000 without an API Key
	--nvdDatafeed	<url>	The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz`
	--nvdUser	<username>	Credentials used for basic authentication for the NVD API Data feed.
	--nvdPassword	<password>	Credentials used for basic authentication for the NVD API Data feed.
	--nvdValidForHours	<hours>	The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.	4
	--hints	<file>	The file path to the XML hints file - used to resolve false negatives
-P	--propertyfile	<file>	Specifies a file that contains properties to use instead of application defaults. The key values used in the properties file are not the same as the arguments listed on this page; use the keys here: https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck.properties
	--updateonly		If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated.
	--disableKnownExploited		Sets whether the Known Exploited Vulnerability update and analyzer are enabled.
	--kevURL	<url>	URL to the CISA Known Exploited Vulnerabilities JSON data feed.	https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
	--disableFileName		Disables the File Name Analyzer; in generally, this should not be disabled.
	--disablePyDist		Sets whether the experimental Python Distribution Analyzer will be used.
	--disablePyPkg		Sets whether the experimental Python Package Analyzer will be used.
	--disableMSBuild		Sets whether the MS Build Project Analyzer will be used.
	--disableNodeJS		Sets whether the Node.js Package Analyzer will be used.
	--disableYarnAudit		Sets whether the yarn Audit Analyzer will be used. This analyzer requires an internet connection and that yarn is installed. Use `--nodeAuditSkipDevDependencies` to skip dev dependencies.
	--yarn	<path>	The path to `yarn`.
	--disablePnpmAudit		Sets whether the pnpm Audit Analyzer will be used. This analyzer requires an internet connection and that pnpm is installed. Use `--nodeAuditSkipDevDependencies` to skip dev dependencies.
	--pnpm	<path>	The path to `pnpm`.
	--disableNodeAudit		Sets whether the Node Audit Analyzer will be used. This analyzer requires an internet connection.
	--disableNodeAuditCache		When the argument is present the Node Audit Analyzer will not cache results. By default the results are cached for 24 hours.
	--nodeAuditSkipDevDependencies		Configures the Node Audit Analyzer to skip devDependencies.
	--nodePackageSkipDevDependencies		Configures the Node Package Analyzer to skip devDependencies.
	--disableRetireJS		Sets whether the RetireJS Analyzer will be used.
	--retireJsForceUpdate		Sets whether the RetireJS Analyzer will update regardless of the `noupdate` argument.	false
	--retireJsUrl	<url>	The URL to the Retire JS repository.	https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
	--retirejsFilter	<pattern>	The RetireJS Analyzers content filter used to exclude JS files when the content contains the given regular expression; this option can be specified multiple times.
	--retirejsFilterNonVulnerable		Specifies that the Retire JS Analyzer should filter out non-vulnerable JS files from the report.
	--retirejsUser	<username>	Credentials used for basic authentication for the RetireJS data.
	--retirejsPassword	<password>	Credentials used for basic authentication for the RetireJS data.
	--disableRubygems		Sets whether the experimental Ruby Gemspec Analyzer will be used.
	--disableBundleAudit		Sets whether the experimental Ruby Bundler Audit Analyzer will be used.
	--disableCocoapodsAnalyzer		Sets whether the experimental Cocoapods Analyzer will be used.
	--disableSwiftPackageManagerAnalyzer		Sets whether the experimental Swift Package Manager Analyzer will be used.
	--disableSwiftPackageResolvedAnalyzer		Sets whether the experimental Swift Package Resolved Analyzer will be used.
	--disableAutoconf		Sets whether the experimental Autoconf Analyzer will be used.
	--disableOpenSSL		Sets whether the OpenSSL Analyzer will be used.
	--disableCmake		Sets whether the experimental Cmake Analyzer will be disabled.
	--disableArchive		Sets whether the Archive Analyzer will be disabled.
	--zipExtensions	<strings>	A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.
	--disableJar		Sets whether the Jar Analyzer will be disabled.
	--disableComposer		Sets whether the experimental PHP Composer Lock File Analyzer will be disabled.
	--disableCpan		Sets whether the experimental Perl CPAN File Analyzer will be disabled.
	--disableDart		Sets whether the experimental Dart Analyzer will be disabled.
	--disableOssIndex		Sets whether the OSS Index Analyzer will be disabled. This analyzer requires an internet connection.
	--disableOssIndexCache		When the argument is present the OSS Index Analyzer will not cache results. By default results are cached for 24 hours.
	--ossIndexUsername	<username>	The optional username to connect to Sonatype's OSS Index.
	--ossIndexPassword	<password>	The optional password to connect to Sonatype's OSS Index.
	--ossIndexRemoteErrorWarnOnly	<true\|false>	Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely.
	--ossIndexUrl	<url>	Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used.	https://ossindex.sonatype.org
	--disableCentral		Sets whether the Central Analyzer will be used. Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly). If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer.
	--disableCentralCache		When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days.
	--centralUrl		Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used.	https://search.maven.org/solrsearch/select
	--enableNexus		Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server.
	--enableArtifactory		Sets whether Artifactory analyzer will be used
	--artifactoryUrl	<url>	The Artifactory server URL.
	--artifactoryUseProxy	<true\|false>	Whether Artifactory should be accessed through a proxy or not.	false
	--artifactoryParallelAnalysis	<true\|false>	Whether the Artifactory analyzer should be run in parallel or not	true
	--artifactoryUsername	<username>	The user name (only used with API token) to connect to Artifactory instance
	--artifactoryApiToken	<token>	The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId, artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken.
	--artifactoryBearerToken	<token>	The bearer token to connect to Artifactory instance
	--nexus	<url>	The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled.
	--nexusUser	<username>	The username to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection.
	--nexusPass	<password>	The password to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection.
	--nexusUsesProxy	<true\|false>	Whether or not the defined proxy should be used when connecting to Nexus.	true
	--disableNuspec		Sets whether the .NET Nuget Nuspec Analyzer will be used.
	--disableNugetconf		Sets whether the experimental .NET Nuget packages.config Analyzer will be used.
	--disableAssembly		Sets whether the .NET Assembly Analyzer should be used.
	--dotnet	<path>	The path to dotnet core for .NET Assembly analysis on non-windows systems.
	--disableGolangDep		Sets whether the experimental Go Dependency Analyzer should be used.
	--disableGolangMod		Sets whether the experimental Go Mod Analyzer should be used.
	--disableMixAudit		Sets whether the experimental Elixir mix audit Analyze should be used.
	--disablePoetry		Sets whether the experimental Poetry Analyzer should be used.
	--go	<path>	The path to `go` executable for the Go Mode Analyzer; only necassary if `go` is not on the path.
	--bundleAudit		The path to the bundle-audit executable.
	--bundleAuditWorkingDirectory	<path>	The path to working directory that the bundle-audit command should be executed from when doing Gem bundle analysis.
	--proxyserver	<server>	The proxy server to use when downloading resources; see the proxy configuration page for more information.
	--proxyport	<port>	The proxy port to use when downloading resources.
	--nonProxyHosts	<list>	The proxy exclusion list: hostnames (or patterns) for which proxy should not be used. Use pipe, comma or colon as list separator. Example: `something.com\|.something.com\|www.somethingelse.`
-c	--connectiontimeout	<timeout>	The connection timeout (in milliseconds) to use when downloading resources.	10000
	--readtimeout	<timeout>	The read timeout (in milliseconds) to use when downloading resources.	60000
	--proxypass	<pass>	The proxy password to use when downloading resources.
	--proxyuser	<user>	The proxy username to use when downloading resources.
	--connectionString	<connStr>	The connection string to the database. See using a database server.
	--dbDriverName	<driver>	The database driver name.
	--dbDriverPath	<path>	The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path.
	--dbPassword	<password>	The password for connecting to the database.
	--dbUser	<user>	The username used to connect to the database.
-d	--data	<path>	The location of the data directory used to store persistent data. This option should generally not be set.	/usr/local/var/dependencycheck if installed through brew (→ formula). Otherwise, the data directory is created inside the install directory i.e. as a sibbling to the `<install-dir>/bin`, `<install-dir>/lib` directories.
	--purge		Delete the local copy of the NVD. This is used to force a refresh of the data.
	--disableHostedSuppressions		Whether the usage of the hosted suppressions file will be disabled.	false
	--hostedSuppressionsForceUpdate		Whether the hosted suppressions file will update regardless of the `noupdate` argument.	false
	--hostedSuppressionsValidForHours	<hours>	The number of hours to wait before checking for new updates of the hosted suppressions file	2
	--hostedSuppressionsUrl	<url>	The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments	https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml