Scanning dependencies with conan audit

A new command, conan audit, was added in Conan 2.14. It provides a built-in way to scan your dependencies for known CVEs.

For a step-by-step guide on authentication, usage examples, output formats, and setting up private providers, see Checking package vulnerabilities. In short:

1. Register at audit.conan.io.

2. Activate your account via the confirmation email you receive.

3. Save your token, which is displayed on the page after activation.

4. Configure Conan to use your token:

conan audit provider auth conancenter --token=<token>

5. Run a scan:

# Check a specific reference
conan audit list zlib/1.2.13

# Scan the entire dependency graph
conan audit scan .  # Path to the conanfile.py/txt

This command also supports using your own JFrog Platform as a private provider for vulnerability scanning. See the Adding private providers section for more details.

See also

• JFrog Academy Conan 2 Essentials: Scanning C++ packages for Vulnerabilities using Conan Audit

• For detailed reference documentation on all conan audit subcommands and their options, consult the conan audit command reference.

• Read more in the dedicated blog post.