cli
Commands
Complete reference for all sus CLI commands
sus init
Initialize sus in your project with optional AGENTS.md docs index.
Bash
sus initFlags:
| Flag | Description |
|---|---|
-y | Skip prompts and use defaults |
Examples:
Bash
# Interactive initialization
sus init
# Non-interactive with defaults
sus init -yOutput:
Bash
$ sus init
🔧 initializing sus...
Enable AGENTS.md docs index for AI coding agents? (Y/n) Y
✓ created sus.json
✓ created .sus-docs/
✓ updated AGENTS.md with sus docs index
📚 AGENTS.md docs index enabled. When you run sus add <package>,
package documentation will be saved to .sus-docs/ and indexed in AGENTS.md.
✓ sus initialized successfully!Behavior:
- Prompts for configuration options (unless
-yis used) - Creates
sus.jsonwith project settings - Creates
.sus-docs/directory (if docs index enabled) - Creates or updates
AGENTS.mdwith sus docs index (if enabled)
sus add
Install packages with security checks before installation.
Bash
sus add <packages...>Arguments:
packages- One or more package specs (e.g.,lodash,express@4.18.0,@types/node)
Flags:
| Flag | Description |
|---|---|
--yolo | Skip all safety checks and install anyway (dangerous) |
--strict | Block installation if any warnings are found |
Examples:
Bash
# Install a single package (JavaScript)
sus add express
# Install a specific version (JavaScript)
sus add lodash@4.17.21
# Install multiple packages (JavaScript)
sus add express cors helmet
# Install scoped packages (JavaScript)
sus add @types/node @prisma/client
# Install Python packages
sus add requests
sus add django==4.2.0
sus add flask sqlalchemy pytest
# Force install despite warnings (not recommended)
sus add sketchy-package --yolo
# Block on any warning
sus add untrusted-pkg --strictBehavior:
- Parses package specs and resolves versions
- Queries the sus API for security assessment
- Displays risk level with details (publisher, downloads, CVEs, threats)
- For Clean packages: installs automatically
- For Warning packages: prompts for confirmation (unless
--strict) - For Critical packages: blocks installation (unless
--yolo) - Installs via your detected package manager (npm/yarn/pnpm/bun for JavaScript, pip/poetry/pipenv/uv for Python)
- Saves documentation to
.sus-docs/and updatesAGENTS.mdindex
sus remove
Uninstall packages from your project.
Bash
sus remove <packages...>Arguments:
packages- One or more package names to remove
Examples:
Bash
# Remove a single package
sus remove lodash
# Remove multiple packages
sus remove express cors helmetBehavior:
- Detects your package manager
- Runs the appropriate uninstall command
- Removes documentation from
.sus-docs/and updatesAGENTS.mdindex
sus scan
Audit all dependencies in your project for security issues.
Bash
sus scanFlags:
| Flag | Description |
|---|---|
--json | Output results as JSON instead of human-readable format |
Examples:
Bash
# Scan current project
sus scan
# Output as JSON (for CI/CD)
sus scan --jsonOutput:
Bash
$ sus scan
🔍 scanning 127 packages...
📦 lodash@4.17.20
⚠️ kinda sus
└─ CVE-2021-23337: prototype pollution (medium)
📦 event-stream@3.3.6
🚨 MEGA SUS
└─ malware: flatmap-stream injection
───────────────────────────────
summary: 125 clean, 1 warning, 1 criticalBehavior:
- Reads dependencies from
package.json(JavaScript) orrequirements.txt/pyproject.toml/Pipfile(Python) - Attempts to get exact versions from lockfiles
- Performs bulk lookup via the sus API
- Categorizes packages: clean, warnings, critical, unknown
- Displays results sorted by severity
- Exits with code 1 if critical issues are found (useful for CI)
sus check
Look up the security assessment for a package without installing it.
Bash
sus check <package>Arguments:
package- Package spec to check (e.g.,lodash,express@4.18.0)
Examples:
Bash
# Check latest version
sus check axios
# Check specific version
sus check lodash@4.17.20Output:
Bash
$ sus check axios
🔍 checking axios@1.6.0...
✅ not sus
├─ publisher: axios (verified)
├─ downloads: 45M/week
├─ cves: 0
├─ agentic threats: none
├─ install scripts: none
└─ trust score: 92/100
📋 capabilities:
├─ 🌐 network: *
└─ 🔑 env vars: HTTP_PROXY, HTTPS_PROXYBehavior:
- Parses package spec (name and optional version)
- Fetches full assessment from the sus API
- If not yet scanned, requests a scan and shows estimated time
- Displays complete risk assessment including:
- Risk level and trust score
- Publisher information
- CVEs with descriptions
- Agentic threats (if any)
- Install scripts
- Capabilities (network, filesystem, process, environment, native)
sus update
Check for and update dependencies to their latest safe versions.
Bash
sus updateFlags:
| Flag | Description |
|---|---|
--dry-run | Show what would be updated without making changes |
Examples:
Bash
# Update all dependencies
sus update
# Preview updates without applying
sus update --dry-runOutput:
Bash
$ sus update --dry-run
📦 Available updates:
├─ express: 4.18.0 → 4.21.0 ✅
├─ lodash: 4.17.20 → 4.17.21 ✅
└─ axios: 1.5.0 → 1.6.0 ✅
Run without --dry-run to apply updates.Behavior:
- Reads current dependencies from
package.json(JavaScript) orrequirements.txt/pyproject.toml/Pipfile(Python) - Checks latest version for each package via the sus API
- Compares current vs latest versions
- If
--dry-run: shows available updates and stops - If not: updates each package using your package manager
- Each update goes through the same security checks as
sus add
sus why
Show why a package exists in your dependency tree.
Bash
sus why <package>Arguments:
package- Package name to trace
Examples:
Bash
# Find why lodash is installed
sus why lodash
# Trace a transitive dependency
sus why minimistOutput:
Bash
$ sus why minimist
minimist@1.2.8
├─ mkdirp@0.5.6
│ └─ your-project
└─ optimist@0.6.1
└─ handlebars@4.7.7
└─ your-projectBehavior:
- Detects your package manager
- Delegates to the underlying package manager's why command
- Pretty-prints the dependency chain with highlighting
Global Options
These options work with all commands:
| Option | Description |
|---|---|
--api-url | Use a custom API endpoint (default: https://api.sus-pm.com) |
--help | Show help for the command |
--version | Show sus version |
Environment Variables:
| Variable | Description |
|---|---|
SUS_API_URL | Default API endpoint (overridden by --api-url) |
RUST_LOG | Log level for debugging (e.g., sus=debug) |
Risk Levels
sus categorizes packages into three risk levels:
Clean
No issues detected. Package installs automatically.
Bash
✅ not sus
├─ publisher: expressjs (verified)
├─ downloads: 32M/week
└─ cves: 0Warning
Minor issues found. sus prompts for confirmation before installing.
Bash
⚠️ kinda sus
├─ CVE-2021-23337: prototype pollution (medium)
└─ trust score: 45/100Use --strict to block warnings, or confirm to proceed.
Critical
Major security threats. Installation is blocked by default.
Bash
🚨 MEGA SUS
├─ malware: flatmap-stream injection
├─ targets: cryptocurrency wallets
└─ status: COMPROMISEDUse --yolo to force install (not recommended).
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Critical issues found (scan) or installation blocked |
| 2 | Command error or invalid arguments |
On this page