Answers to common questions and solutions to known issues. If you can't find what you're looking for here, reach out to us directly.
Frequently asked questions
What package ecosystems does Ossprey support?
Ossprey currently supports npm, yarn, and PyPI. The CLI auto-detects these package managers. If you need support for additional ecosystems, please contact us at support@ossprey.com.
How often are repositories scanned?
Repositories connected via the GitHub App are scanned on pull requests against the monitored branch, or on a schedule you configure. You can also trigger manual scans from the dashboard at any time.
Can I scan private repositories?
Yes. The Ossprey GitHub App requests only the permissions needed to read package manifests. It accesses your repository content to generate SBOMs, but never stores your source code. Private repositories are fully supported.
What happens when a malicious package is detected?
The scan result is flagged on the dashboard, and if you're using the CLI with --github-comments in a GitHub Actions workflow, inline review comments are posted on the PR. The CLI also exits with code 1 to fail your pipeline. You should investigate the flagged package, check for a safe version or alternative, update your project, and re-scan.
Is my code secure?
Ossprey accesses your repository content to analyse package manifests and generate SBOMs, but never stores your source code. We only use the dependency information they contain.
How does Ossprey detect threats?
Ossprey performs live, real-time analysis of packages by examining their code and behaviour. This includes behavioural analysis to understand what a package actually does at runtime, combined with our threat intelligence database of known malware signatures.
How do I contact support?
Email us at support@ossprey.com, or use the in-app support option in the dashboard.
Troubleshooting
My scan is stuck or not completing
Large projects with many dependencies take longer to scan. If a scan seems stuck for more than 30 minutes, try refreshing the page or running a new scan. If the problem persists, contact support.
The GitHub integration isn't triggering scans
Go to GitHub Settings → Applications → Installed GitHub Apps
Find Ossprey and click Configure
Verify repository access permissions
Check webhook delivery in your GitHub repo settings under Webhooks
Try uninstalling and reinstalling the app
Ensure your organisation allows third-party apps
I'm getting unexpected scan results
Ensure you're looking at the correct branch/version
Check the scan date — results may be from an older scan
Verify your package manifest files are correct and up to date
To report a false positive or false negative, contact support with the package name, version, and ecosystem
CLI authentication errors
Check that your API key is correctly set via --api-key or the API_KEY environment variable
Verify the key hasn't been revoked in the dashboard
Ensure you're not accidentally using a dry-run flag (which bypasses auth but doesn't submit to the API)
Try regenerating a new key in the Security and API Keys section of the dashboard
In-app support: Use the support option in the dashboard
When contacting support, please include your account email, a description of the issue, steps to reproduce the problem, and any error messages or screenshots.