Thirdpass Docs

Check Command

Check a project's dependencies against submitted Thirdpass reviews.

The check command is the consumer side of Thirdpass.

Run it from a project directory:

thirdpass check

Dependency Discovery

The CLI asks installed extensions whether they can identify dependency files in the current directory or one of its parents.

For example, an ecosystem extension might inspect a lockfile, extract package names and versions, and return the dependencies it understands.

Review Lookup

After dependencies are identified, the CLI asks the server for matching reviews and reads committed project reviews from .thirdpass/reviews/.

Committed project reviews are only used when they still match the current package artifact and reviewed file hashes. If a project review is present but no longer matches the current package contents, check reports it as stale.

Results

The command can report:

  • Dependencies with review coverage.
  • Dependencies with no known review coverage.
  • Findings from submitted reviews that match the project's dependencies.
  • Matching or stale committed project reviews.

The goal is to make supply chain review data actionable from the terminal.

Review Workflow

How Thirdpass reviews package files and shares coverage across projects.

Extensions

How ecosystem extensions connect Thirdpass to package registries.

On this page

Dependency DiscoveryReview LookupResults