Querying Dependencies
List, group, and trace a project's dependencies with xgrep deps — flat inventory, per-manifest tree, and go-mod-why-style usage.
Querying Dependencies
xgrep deps answers questions about a project's dependencies, built on the same
offline SBOM as xgrep sbom plus the package-aware
code graph. It has three subcommands:
deps list— a flat, scope-tagged inventory.deps tree— each manifest's root, direct, and transitive sets.deps why— which dependencies your code actually imports, and where.
All queries are offline (file parsing plus graph queries, no network).

deps list
List every dependency as a flat inventory, each tagged direct or transitive:
xgrep deps list .
xgrep deps list --scope direct . # only direct dependencies
xgrep deps list --scope transitive . # only transitivedirect go github.com/spf13/cobra@v1.10.2
direct npm react@18.3.1
transitive npm scheduler@0.23.2
3 dependenciesA package declared direct by any manifest is reported as direct (direct-wins
dedup). Add --json for machine-readable output, --ecosystem to restrict, and
--ref to read from a git ref.
deps tree
Show each discovered manifest grouped as Root → Direct → Transitive. In a monorepo, each module's manifest gets its own tree (no cross-manifest dedup):
xgrep deps tree .my-service@1.2.0 [go.mod]
direct (2):
github.com/spf13/cobra@v1.10.2
go.mondoo.com/mql@v13.0.0
transitive (1):
github.com/inconshreveable/mousetrap@v1.1.0This is two-level, not a fully nested tree: parsed manifests expose no
package→package edges to nest by. For the complete transitive set, use
deps list --scope transitive.
deps why
Trace the relationship between your first-party code and a dependency. It works in both directions.
Forward — which dependency packages does the code under a path import directly, and from which files:
xgrep deps why ./cmd./cmd directly imports 1 package(s):
github.com/spf13/cobra@v1.10.2 [go]
via cmd/xgrep/main.goReverse (--package) — which first-party files directly import a given package
(by name or purl). This answers "is this dependency actually used by our code, and
where?":
xgrep deps why --package github.com/spf13/cobragithub.com/spf13/cobra@v1.10.2 [go] is directly imported by 13 file(s):
cmd/xgrep/ci.go
cmd/xgrep/deps.go
cmd/xgrep/main.go
…If a package is in the SBOM but no first-party file imports it directly, deps why --package says so — a hint that it's pulled in transitively.
Direct usage only.
deps whyreports direct code→package imports. Multi-hop import chains and dependency-tree transitivity ("A pulls in B") are not yet tracked. Usedeps list --scope transitivefor the full transitive inventory.
Generating an SBOM
Produce a CycloneDX or SPDX Software Bill of Materials for a project's dependencies with xgrep sbom — fully offline.
Scanning for vulnerabilities
xgrep scan combines SAST and SCA in one run — it builds an SBOM and matches your open-source dependencies against known CVEs via Mondoo Platform.