Skip to main content
Glama

scan_directory

Scan a directory to detect licenses, packages (including transitive dependencies), vulnerabilities, and policy violations using purl2notices. Start your compliance analysis here.

Instructions

FIRST STEP: Scan a directory for compliance issues using purl2notices.

This is typically the FIRST tool you should use when analyzing a project. Use this to discover what's in your project before validation or documentation generation.

PURPOSE:

  • Scan project source code for licenses (using purl2notices)

  • Detect ALL packages including transitive dependencies (scans node_modules/, site-packages/, vendor/)

  • Extract copyright statements from source code

  • Check for vulnerabilities (using vulnq)

  • Validate against policy (using ospac)

WHAT purl2notices DETECTS:

  • Project source licenses (from your own code)

  • Dependency packages (ALL packages in node_modules/, not just package.json)

  • Package licenses (from dependency source code)

  • Copyright holders (extracted from actual source files)

IMPORTANT: This tool scans the ENTIRE dependency tree:

  • For npm projects: All 50+ packages in node_modules/ (not just the 1-2 in package.json)

  • For Python projects: All packages in site-packages/ or virtualenv

  • Includes transitive dependencies automatically

WHEN TO USE:

  • Starting compliance analysis for a new project (FIRST STEP)

  • Need to discover all licenses in source code

  • Want to identify all package dependencies (including transitive)

  • Beginning vulnerability assessment

  • Need comprehensive project analysis with copyright attribution

WHEN NOT TO USE:

  • Already have PURLs and just need legal notices → use generate_legal_notices directly

  • Analyzing compiled binaries → use scan_binary instead

  • Just validating known licenses → use validate_license_list

  • Checking single package → use check_package

WORKFLOW POSITION: FIRST STEP in most compliance workflows. Use this to discover what's in your project before validation/generation.

TYPICAL NEXT STEPS:

  1. For mobile apps: scan_directory(check_vulnerabilities=True) → validate_license_list(distribution="mobile") → generate_legal_notices(purls=scan_result["packages"])

  2. For vulnerability assessment: scan_directory(check_vulnerabilities=True) → analyze_commercial_risk(path=".") → check specific packages with check_package for details

  3. For documentation: scan_directory() → generate_legal_notices(purls=scan_result["packages"]) → generate_sbom(path=".")

IMPORTANT NOTES:

  • identify_packages parameter is deprecated (purl2notices always detects packages)

  • check_vulnerabilities=True: Checks all detected packages for CVEs

  • check_licenses parameter is deprecated (purl2notices always scans licenses)

  • Scans recursively by default (max depth 3 into node_modules/)

Args: path: Directory or file path to scan recursive: Enable recursive scanning (default: True, max depth 3) check_vulnerabilities: Check for vulnerabilities in detected packages check_licenses: (Deprecated - always True) Scan for licenses identify_packages: (Deprecated - always True) Detect packages policy_file: Optional policy file for license compliance validation

Returns: Dictionary containing: - licenses: List of detected licenses from project and dependencies - packages: List of ALL detected packages with PURLs (includes transitive deps) - vulnerabilities: List of vulnerabilities (if check_vulnerabilities=True) - policy_violations: Policy violations (if policy_file provided) - metadata: Summary information including copyright holders and counts

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
pathYes
recursiveNo
policy_fileNo
check_licensesNo
identify_packagesNo
check_vulnerabilitiesNo

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden. It comprehensively discloses behavior: scans entire dependency trees (including transitive), recursive scanning with max depth 3, deprecation of parameters, and what is detected (licenses, packages, vulnerabilities, policy). No contradictions.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is long but well-structured with clear sections. It is slightly verbose due to repetition (e.g., 'FIRST STEP' appears multiple times), but the structure (uppercase headers, bullet points, examples) makes it easy to scan. Every sentence adds value.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (6 parameters, no schema descriptions, 13 sibling tools), the description is remarkably complete. It covers purpose, scope, usage guidelines, parameter details, return values, deprecation notes, and workflow examples. No gaps remain for an AI to misuse the tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 0%, but the description explains each parameter in detail: path (required), recursive (default true, max depth 3), check_vulnerabilities (default false, checks CVEs), check_licenses (deprecated, always true), identify_packages (deprecated, always false), policy_file (optional). It also describes the return dictionary structure, adding significant value beyond the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: scanning a directory for compliance issues using purl2notices. It distinguishes itself from siblings by explicitly marking itself as the FIRST STEP and providing alternative tools for specific scenarios (e.g., generate_legal_notices, scan_binary).

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description includes explicit 'WHEN TO USE' and 'WHEN NOT TO USE' sections, clearly listing conditions and alternative tools. It also provides workflow examples showing typical next steps, making it easy for the AI to decide when to invoke this tool.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/SemClone/mcp-semclone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server