Scanning dependencies with conan audit¶
A new command, conan audit, was added in Conan 2.14. It provides a built-in way to scan your dependencies for known CVEs.
For a step-by-step guide on authentication, usage examples, output formats, and setting up private providers, see Checking package vulnerabilities. In short:
Register at audit.conan.io.
Activate your account via the confirmation email you receive.
Save your token, which is displayed on the page after activation.
Configure Conan to use your token:
conan audit provider auth conancenter --token=<token>
Run a scan:
# Check a specific reference
conan audit list zlib/1.2.13
# Scan the entire dependency graph
conan audit scan . # Path to the conanfile.py/txt
This command also supports using your own JFrog Platform as a private provider for vulnerability scanning. See the Adding private providers section for more details.
See also
JFrog Academy Conan 2 Essentials: Scanning C++ packages for Vulnerabilities using Conan Audit
For detailed reference documentation on all
conan audit
subcommands and their options, consult the conan audit command reference.Read more in the dedicated blog post.