Open Source CLI

Stacktower CLI

Generate dependency towers locally, integrate into CI/CD, or build custom tooling. 100% open source under Apache-2.0.

Terminal — stacktower
$stacktower pa

Installation

Homebrew

Recommended

macOS / Linux — includes all features out of the box (GitHub auth, private repo access)

brew tap stacktower-io/homebrew-tap brew install --cask stacktower
Alternative: build from source
Building from source does not embed GitHub App credentials. stacktower github commands will not work unless you set STACKTOWER_GITHUB_APP_CLIENT_ID and STACKTOWER_GITHUB_APP_SLUG environment variables. Use Homebrew for the full experience.

Go install

go install github.com/stacktower-io/stacktower/cmd/stacktower@latest

Clone & build

git clone https://github.com/stacktower-io/stacktower.git && cd stacktower && make build

Quick Start

The basic workflow is: parse a package or manifest to JSON, then render to SVG.

From a package registry

stacktower parse python fastapi -o fastapi.json
stacktower render fastapi.json -o fastapi.svg

From a local manifest file

stacktower parse poetry.lock -o deps.json
stacktower render deps.json -o tower.svg

Works with package-lock.json, Cargo.lock, go.mod, Gemfile.lock, and more.

With vulnerability scanning

stacktower parse python django --security-scan -o django.json
stacktower render django.json --show-vulns -o django.svg

Scans via OSV.dev and highlights vulnerable packages in the visualization.

Quick preview (resolve)

stacktower resolve poetry.lock

Prints the dependency tree to stdout without generating files. Great for quick checks.

Analysis & CI integration

stacktower why flask.json markupsafe
stacktower stats flask.json
stacktower diff flask-old.json flask.json --fail-on-vuln
stacktower sbom flask.json -o flask.cdx.json

Trace dependency paths, generate health reports, compare graph versions (exit code 3 on new vulns), and export SBOM for compliance.

Core Commands

The main commands for parsing dependencies and generating visualizations.

Analysis Commands

Inspect, compare, and export dependency graphs after parsing.

Advanced Commands

Additional utilities for fine-grained control and workflow integration.

JSON Format

The render layer accepts a simple JSON format, making it easy to visualize any directed graph—not just package dependencies.

Minimal Example

{
  "nodes": [
    { "id": "app" },
    { "id": "lib-a" },
    { "id": "lib-b" }
  ],
  "edges": [
    { "from": "app", "to": "lib-a" },
    { "from": "lib-a", "to": "lib-b" }
  ]
}

Optional Fields

nodes[].rowPre-assigned layer
nodes[].vuln_severitycritical, high, medium, low
nodes[].meta.repo_urlGitHub URL for links
nodes[].meta.repo_starsStar count for popups
nodes[].meta.summaryPackage description

Global Flags

These flags are available on every command.

-v, --verboseEnable verbose logging
-q, --quietSuppress non-essential output
--versionShow version and build info

Environment Variables

GITHUB_TOKENGitHub API token for metadata enrichment
XDG_CACHE_HOMEOverride default cache directory (~/.cache)
NO_COLORDisable colour output

Exit Codes

0
Success
1
Runtime/system failure (network, registry/API, render/pipeline errors)
2
Invalid usage or input (unsupported language, invalid package/manifest)
3
New vulnerabilities detected (diff --fail-on-vuln)
130
Interrupted (Ctrl+C / termination signal)

Troubleshooting

Symptomrate limited: too many requests
CauseGitHub/PyPI API rate limit exceeded
FixSet GITHUB_TOKEN; use --no-cache sparingly
Symptomlibrsvg / rsvg-convert errors
CauseMissing system dependency for PDF/PNG
Fixbrew install librsvg (macOS) or apt install librsvg2-bin (Linux)
SymptomVery slow for large graphs
CauseGraph exceeds default limits
FixLower --max-nodes or use --ordering barycentric
Symptomcontext deadline exceeded
CauseOrdering search timeout
FixIncrease --ordering-timeout or switch to --ordering barycentric

Resources

GitHub

Source code

GitHub Action

PR dependency diffs

pkg.go.dev

Go library docs

Blog

The story behind Stacktower

Terms of Service·Privacy Policy

Cookie Preferences

We use essential cookies for authentication. We also use analytics cookies to understand how you use Stacktower and improve the experience. Read our Privacy Policy.