Scal-p DocsCommands
scalp policy check
Evaluate policy and trust scores against resolved dependencies without installing anything. Ideal for quick pre-merge checks.
Evaluates your policy against the current dependency tree without installing a single package. Useful for quick feedback in CI or during development — resolve, parse, evaluate, enforce, done.
Usage
scalp policy check [flags]Flags
| Flag | Default | Description |
|---|---|---|
--pm | auto-detected | Package manager override |
--policy | .scalp/policy.json | Policy path |
--ci | false | Force enforcement to block |
How it works
- Loads policy (or defaults if missing)
- Resolves dependencies (lockfile-only, no install)
- Parses the lockfile → flat list of
PackageNode - Evaluates policy rules: allow/deny, transitive
max_depth - Evaluates trust scores (if
min_score > 0orrequire_hash) - Applies enforcement:
block,warn, orlog
No install, no hash sync, no audit — just evaluation.
Basic usage
scalp policy checkWhen policy passes:
policy check okWhen violations are found (warn mode):
! policy violations detected
policy violations detected:
- malicious-pkg@1.0.0 (denylist: denylist)With CI enforcement
scalp policy check --ciForces on_violation to block. Exit code 1 on any violation.
Check a specific policy
scalp policy check --policy custom-policy.jsonWhy use policy check instead of ci?
| Situation | Use |
|---|---|
| Quick feedback on policy rules | policy check |
| Full verification (install + audit) | ci |
| Before merging a PR | policy check --ci |
| Before deploying | ci |
policy check is faster because it skips the install and hash sync. Use it when you want policy feedback in seconds, not minutes.