Stand up dpndncY in ten minutes.

Pull the container, log in, run your first scan, view your first signed verdict.

1 — Pull and run

Single-container quickstart. Persistent volume for the SQLite database, port 8080 exposed for the web UI and API.

docker run

docker run -d \
  --name dpndncy \
  -p 8080:8080 \
  -v dpndncy-data:/data \
  -e DPNDNCY_SIGNING_KEY_AUTOGEN=1 \
  ghcr.io/dpndncy/server:latest

What that flag does

DPNDNCY_SIGNING_KEY_AUTOGEN=1 generates a signing keypair on first boot. For production, bring your own keypair via DPNDNCY_SIGNING_KEY_PATH instead.

2 — Bootstrap the admin user

The first run prints a one-time bootstrap token to the container logs. Visit http://localhost:8080, paste it, and create your admin account.

grab the bootstrap token

docker logs dpndncy | grep BOOTSTRAP_TOKEN

3 — Create a Personal API Token

From Profile → API tokens → New token. Used for the CLI, VS Code extension, and CI integrations.

4 — Run your first scan

From your project directory:

dpndncy CLI

export DPNDNCY_URL=http://localhost:8080
export DPNDNCY_TOKEN=<your-personal-api-token>

dpndncy scan ./package.json --output sarif > findings.sarif

Or via the UI: Scans → New scan → Upload manifest.

5 — View the signed verdict

Every scan emits a DSSE-signed in-toto Statement. Download it from the scan detail page, then verify offline:

offline verification

dpndncy-verify scan-1234.intoto.jsonl \
  --public-key /data/keys/agent-pub.pem
# → Signature: OK
# → Type: https://dpndncy.io/scan/v1
# → Subject: ./package.json sha256: a1b2c3…

That last command is the wedge

The verifier binary is self-contained. No portal. No network calls. Hand it to your auditor — they only need the public key.

Next steps

Read the architecture overview to understand the three-layer model.
Configure the Dependency Firewall in observe mode.
Drop the runtime agent into your GitHub Actions workflow.

← Previous

Introduction

Architecture