pydepgate is invoked as:
pydepgate [global flags] <subcommand> [subcommand flags] [arguments]
Global flags work on either side of the subcommand. Both of the following are equivalent:
pydepgate --format json scan package.whl
pydepgate scan package.whl --format json
Subcommand Status Description scan Available Scan a wheel, sdist, installed package, or single file explain Available Look up signal and rule documentation preflight Under development Walk an installed Python environment exec Under development Run a script with runtime interdiction version Available Print pydepgate version completions Available Generate shell tab-completion scripts helpAvailable Show help for pydepgate or a specific subcommand
Global flags apply to every subcommand. They can be placed before or after the subcommand name.
Flag Values Default Env variable Description --formathuman, json, sarifhumanPYDEPGATE_FORMATOutput format --colorauto, always, neverautoPYDEPGATE_COLORANSI color control. auto emits color when stdout is a TTY. always forces color through pipes. never disables color. --no-color PYDEPGATE_NO_COLOR, NO_COLORAlias for --color=never. Kept for compatibility. --no-map falsePYDEPGATE_NO_MAPSuppress the finding-distribution map in human output
Flag Values Default Env variable Description --min-severityinfo, low, medium, high, criticalinfoPYDEPGATE_MIN_SEVERITYSuppress findings below this severity in output --ci falsePYDEPGATE_CICI mode: if --format is not set, forces json; if --color is auto, forces never. Does not change --min-severity. --strict-exit falsePYDEPGATE_STRICT_EXITCompute exit code from all findings regardless of --min-severity. Use when you want filtered display but unfiltered exit behavior.
Flag Values Default Env variable Description --rules-filepath auto-discover PYDEPGATE_RULES_FILEPath to a .gate rules file. Auto-discovery checks ./pydepgate.gate then ~/.config/pydepgate/pydepgate.gate.
Flag Values Default Env variable Description --peek falsePYDEPGATE_PEEKEnable the payload-peek enricher. Required for --decode-payload-depth to produce output. --peek-depthinteger 3PYDEPGATE_PEEK_DEPTHMaximum decode depth in the enricher pass. Floor 1, ceiling 10. --peek-budgetinteger (bytes) 524288 (512 KB)PYDEPGATE_PEEK_BUDGETCumulative byte budget across all unwrap layers. Floor 1024. --peek-min-lengthinteger 1024PYDEPGATE_PEEK_MIN_LENGTHMinimum literal length, in bytes, before the enricher attempts to decode it. Floor 16. --peek-chain falsePYDEPGATE_PEEK_CHAINPrint verbose per-layer hex dumps in the enricher output
Flag Values Default Env variable Description --decode-payload-depthinteger unset (decode disabled) PYDEPGATE_DECODE_PAYLOAD_DEPTHMaximum recursion depth for the decode pipeline. Must be in [1, 8] when enabled. Requires --peek. --decode-locationpath ./decoded/PYDEPGATE_DECODE_LOCATIONOutput directory for decode reports, sidecars, and archives. Created if missing. --decode-formattext, jsontextPYDEPGATE_DECODE_FORMATFormat of the decode-pipeline report. text for a human-readable tree; json for structured downstream tooling. --decode-iocsoff, hashes, fulloffPYDEPGATE_DECODE_IOCSIOC sidecar mode. See Decode Payloads . --decode-archive-passwordstring infectedPYDEPGATE_DECODE_ARCHIVE_PASSWORDPassword for the full mode encrypted archive --decode-archive-stored false(none) Use STORED compression instead of DEFLATE for the full mode archive. Slightly larger archive but bypasses zlib entirely. Useful when byte-verifiable archive contents matter.
Flag Values Default Env variable Description --sarif-srcrootpath PYDEPGATE_SARIF_SRCROOTSource root for SARIF PROJECTROOT URI base. Only meaningful with --format sarif. Emits a warning if set with other formats.
When a flag is set via both an environment variable and the command line, the command line wins. When a flag is set via both an environment variable and the default, the environment variable wins.
explicit CLI flag > environment variable > built-in default
Shell completion is available for bash, zsh, and fish. See completions for setup instructions.
Table of contents