Skip to content

technologies

Jump to bottom
Purplemet CI edited this page Apr 28, 2026 · 2 revisions

Technology Detection

Purplemet detects technologies (frameworks, libraries, servers, languages) running on your sites and tracks their security status.

List Technologies

purplemet-cli tech list <siteId|url> [flags]
Flag Default Description
--limit 100 Maximum technologies to return (0 for all)
--include-sites false Include site count in output
--json false JSON output

Example (illustrative — categories, versions and counts come from the Purplemet API):

$ purplemet-cli tech list https://your-app.com
NAME                  CATEGORY              VERSION     EOL    CVEs
------                --------              -------     ---    ----
Nginx                 <category>            1.25.3      -      0
React                 <category>            18.2.0      -      0
...

Understanding the Output

End of Life (EOL)

Technologies past their end-of-life date no longer receive security patches. This is a significant risk — any new vulnerability discovered will remain unpatched.

The EOL column shows the year the version reached end of life. Use --fail-on-eol in your analysis to block on EOL components.

CVE Count

The number of known CVEs (Common Vulnerabilities and Exposures) associated with the detected version. A high CVE count doesn't necessarily mean the site is exploitable — it depends on configuration and usage context — but it indicates increased risk.

OpenSSF Scorecard

Some technologies include an OpenSSF Scorecard score (0–10) reflecting the security practices of the upstream project (code review, CI, dependency management, etc.). A low score suggests the project may be less reliable from a security maintenance standpoint.

Use --fail-on-ossf-score 5.0 to block on technologies with a low scorecard score.

JSON Output

purplemet-cli tech list https://your-app.com --json

Each technology object contains:

Field Type Description
id string Unique technology ID
name string Product name
version string Detected version
category string Technology category as defined by the Purplemet platform
cveCnt int Known CVE count for this version
endOfLife int EOL timestamp (unix ms, 0 if not EOL)
latestVersion string Latest available version
branchLatestVersion string Latest version in the same major branch
repository string Source repository URL
backportPossibility bool Whether backporting is available
ossfScorecard.score float OpenSSF Scorecard score (0–10)
ossfScorecard.checks array Individual scorecard checks
siteCnt int Sites with this technology (with --include-sites)
firstDetectedAt int First detection (unix ms)
lastDetectedAt int Last detection (unix ms)

Related Gates

Gate Description
--fail-on-eol Fail if end-of-life components are detected
--exclude-tech "php,java" Fail if specified technologies are detected
--fail-on-ossf-score 5.0 Fail if any technology has an OpenSSF Scorecard score below threshold

Use Cases

Monitor for outdated components

# List all technologies with CVEs
purplemet-cli tech list https://your-app.com --json | jq '.[] | select(.cveCnt > 0)'

Enforce technology policy

Block pipelines if forbidden technologies are detected:

purplemet-cli analyze https://your-app.com --json \
  --fail-on-eol \
  --exclude-tech "php,java" \
  --fail-on-ossf-score 5.0

Track technology inventory

# All technologies across all sites
purplemet-cli tech list --include-sites --json --limit 0

Clone this wiki locally