@herodevs/cli 2.0.0-beta.13 → 2.0.0-beta.15

package/README.md

@@ -43,11 +43,11 @@ npm install -g @herodevs/cli@beta
 HeroDevs CLI is available as a binary installation, without requiring `npm`. To do that, you may either download and run the script manually, or use the following cURL or Wget command:
 
 ```sh
-curl -o- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.13/scripts/install.sh | bash
+curl -o- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.15/scripts/install.sh | bash
 ```
 
 ```sh
-wget -qO- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.13/scripts/install.sh | bash
+wget -qO- https://raw.githubusercontent.com/herodevs/cli/v2.0.0-beta.15/scripts/install.sh | bash
 ```
 
 ## Scanning Behavior
@@ -72,7 +72,7 @@ $ npm install -g @herodevs/cli@beta
 $ hd COMMAND
 running command...
 $ hd (--version)
-@herodevs/cli/2.0.0-beta.12 darwin-arm64 node-v24.10.0
+@herodevs/cli/2.0.0-beta.15 darwin-arm64 node-v24.10.0
 $ hd --help [COMMAND]
 USAGE
   $ hd COMMAND
@@ -81,11 +81,58 @@ USAGE
 <!-- usagestop -->
 ## Commands
 <!-- commands -->
+* [`hd auth login`](#hd-auth-login)
+* [`hd auth logout`](#hd-auth-logout)
+* [`hd auth provision-ci-token`](#hd-auth-provision-ci-token)
 * [`hd help [COMMAND]`](#hd-help-command)
 * [`hd report committers`](#hd-report-committers)
 * [`hd scan eol`](#hd-scan-eol)
+* [`hd tracker init`](#hd-tracker-init)
+* [`hd tracker run`](#hd-tracker-run)
 * [`hd update [CHANNEL]`](#hd-update-channel)
-  * **NOTE:** Only applies to [binary installation method](#binary-installation). NPM users should use [`npm install`](#global-npm-installation) to update to the latest version.
+* **NOTE:** Only applies to [binary installation method](#binary-installation). NPM users should use [`npm install`](#global-npm-installation) to update to the latest version.
+
+## `hd auth login`
+
+OAuth CLI login
+
+```
+USAGE
+  $ hd auth login
+
+DESCRIPTION
+  OAuth CLI login
+```
+
+_See code: [src/commands/auth/login.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.15/src/commands/auth/login.ts)_
+
+## `hd auth logout`
+
+Logs out of HeroDevs OAuth and clears stored tokens
+
+```
+USAGE
+  $ hd auth logout
+
+DESCRIPTION
+  Logs out of HeroDevs OAuth and clears stored tokens
+```
+
+_See code: [src/commands/auth/logout.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.15/src/commands/auth/logout.ts)_
+
+## `hd auth provision-ci-token`
+
+Provision a CI/CD long-lived refresh token for headless auth
+
+```
+USAGE
+  $ hd auth provision-ci-token
+
+DESCRIPTION
+  Provision a CI/CD long-lived refresh token for headless auth
+```
+
+_See code: [src/commands/auth/provision-ci-token.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.15/src/commands/auth/provision-ci-token.ts)_
 
 ## `hd help [COMMAND]`
 
@@ -105,7 +152,7 @@ DESCRIPTION
   Display help for hd.
 ```
 
-_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.34/src/commands/help.ts)_
+_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/6.2.37/src/commands/help.ts)_
 
 ## `hd report committers`
 
@@ -113,15 +160,20 @@ Generate report of committers to a git repository
 
 ```
 USAGE
-  $ hd report committers [--json] [-m <value>] [-c] [-s]
+  $ hd report committers [--json] [-x <value>...] [-d <value>] [--monthly] [-m <value> | -s <value> | -e <value> |  | ]
+    [-c] [-s]
 
 FLAGS
-  -c, --csv             Output in CSV format
-  -m, --months=<value>  [default: 12] The number of months of git history to review
-  -s, --save            Save the committers report as herodevs.committers.<output>
-
-GLOBAL FLAGS
-  --json  Format output as json.
+  -c, --csv                 Output in CSV format
+  -d, --directory=<value>   Directory to search
+  -e, --afterDate=<value>   [default: 2025-02-26] Start date (format: yyyy-MM-dd)
+  -m, --months=<value>      [default: 12] The number of months of git history to review. Cannot be used along beforeDate
+                            and afterDate
+  -s, --beforeDate=<value>  [default: 2026-02-26] End date (format: yyyy-MM-dd)
+  -s, --save                Save the committers report as herodevs.committers.<output>
+  -x, --exclude=<value>...  Path Exclusions (eg -x="./src/bin" -x="./dist")
+      --json                Output to JSON format
+      --monthly             Break down by calendar month.
 
 DESCRIPTION
   Generate report of committers to a git repository
@@ -136,7 +188,7 @@ EXAMPLES
   $ hd report committers --csv
 ```
 
-_See code: [src/commands/report/committers.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.12/src/commands/report/committers.ts)_
+_See code: [src/commands/report/committers.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.15/src/commands/report/committers.ts)_
 
 ## `hd scan eol`
 
@@ -145,7 +197,7 @@ Scan a given SBOM for EOL data
 ```
 USAGE
   $ hd scan eol [--json] [-f <value> | -d <value>] [-s] [-o <value>] [--saveSbom] [--sbomOutput <value>]
-    [--saveTrimmedSbom] [--hideReportUrl] [--version]
+    [--saveTrimmedSbom] [--hideReportUrl] [--automated] [--version]
 
 FLAGS
   -d, --dir=<value>         [default: <current directory>] The directory to scan in order to create a cyclonedx SBOM
@@ -153,6 +205,7 @@ FLAGS
   -o, --output=<value>      Save the generated report to a custom path (defaults to herodevs.report.json when not
                             provided)
   -s, --save                Save the generated report as herodevs.report.json in the scanned directory
+      --automated           Mark scan as automated (for CI/CD pipelines)
       --hideReportUrl       Hide the generated web report URL for this scan
       --saveSbom            Save the generated SBOM as herodevs.sbom.json in the scanned directory
       --saveTrimmedSbom     Save the trimmed SBOM as herodevs.sbom-trimmed.json in the scanned directory
@@ -182,16 +235,71 @@ EXAMPLES
 
     $ hd scan eol --save --saveSbom
 
-  Save the report and SBOM to custom paths
-
-    $ hd scan eol --dir . --save --saveSbom --output ./reports/my-report.json --sbomOutput ./reports/my-sbom.json
-
   Output the report in JSON format (for APIs, CI, etc.)
 
     $ hd scan eol --json
 ```
 
-_See code: [src/commands/scan/eol.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.12/src/commands/scan/eol.ts)_
+_See code: [src/commands/scan/eol.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.15/src/commands/scan/eol.ts)_
+
+## `hd tracker init`
+
+Initialize the tracker configuration
+
+```
+USAGE
+  $ hd tracker init [--force -o] [-d <value>] [-f <value>] [-i <value>...]
+
+FLAGS
+  -d, --outputDir=<value>          [default: hd-tracker] Output directory for the tracker configuration file
+  -f, --configFile=<value>         [default: config.json] Filename for the tracker configuration file
+  -i, --ignorePatterns=<value>...  [default: node_modules] Ignore patterns to use for the tracker configuration file
+  -o, --overwrite                  Overwrites the tracker configuration file if it exists
+      --force                      Force tracker configuration file creation. Use with --overwrite flag
+
+DESCRIPTION
+  Initialize the tracker configuration
+
+EXAMPLES
+  $ hd tracker init
+
+  $ hd tracker init -d trackerDir
+
+  $ hd tracker init -d trackerDir -f configFileName
+
+  $ hd tracker init -i node_modules
+
+  $ hd tracker init -i node_modules -i custom_modules
+
+  $ hd tracker init -o
+```
+
+_See code: [src/commands/tracker/init.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.15/src/commands/tracker/init.ts)_
+
+## `hd tracker run`
+
+Run the tracker
+
+```
+USAGE
+  $ hd tracker run [-d <value>] [-f <value>]
+
+FLAGS
+  -d, --configDir=<value>   [default: hd-tracker] Directory where the tracker configuration file resides
+  -f, --configFile=<value>  [default: config.json] Filename for the tracker configuration file
+
+DESCRIPTION
+  Run the tracker
+
+EXAMPLES
+  $ hd tracker run
+
+  $ hd tracker run -d tracker-configuration
+
+  $ hd tracker run -d tracker -f settings.json
+```
+
+_See code: [src/commands/tracker/run.ts](https://github.com/herodevs/cli/blob/v2.0.0-beta.15/src/commands/tracker/run.ts)_
 
 ## `hd update [CHANNEL]`
 
@@ -231,13 +339,77 @@ EXAMPLES
     $ hd update --available
 ```
 
-_See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/v4.7.13/src/commands/update.ts)_
+_See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/4.7.18/src/commands/update.ts)_
 <!-- commandsstop -->
 
 ## CI/CD Usage
 
 You can use `@herodevs/cli` in your CI/CD pipelines to automate EOL scanning.
 
+### CI/CD authentication
+
+For headless use in CI/CD (e.g. GitHub Actions, GitLab CI), the CLI supports long-lived organization-scoped refresh tokens. You do not need to run an interactive login in the pipeline.
+
+**One-time setup (interactive):**
+
+```bash
+hd auth login
+hd auth provision-ci-token
+```
+
+Copy the token output, add as CI secret: `HD_CI_CREDENTIAL`
+
+**CI pipeline (headless):** Run `hd scan eol` directly with `HD_CI_CREDENTIAL` set. The CLI exchanges the token for an access token automatically:
+
+```bash
+export HD_CI_CREDENTIAL="<token>"
+hd scan eol --dir .
+```
+
+| Secret / Env Var | Purpose |
+|------------------|---------|
+| `HD_CI_CREDENTIAL` | Refresh token from provision; exchanged for access token |
+
+#### Local testing
+
+Reproduce the CI flow locally:
+
+```bash
+export HD_CI_CREDENTIAL="<token-from-provision>"
+hd scan eol --dir /path/to/project
+```
+
+#### GitHub Actions (authenticated scan)
+
+Add secret `HD_CI_CREDENTIAL` in your repository or organization, then:
+
+```yaml
+- uses: actions/checkout@v5
+- uses: actions/setup-node@v6
+  with:
+    node-version: '24'
+- name: Run EOL Scan
+  env:
+    HD_CI_CREDENTIAL: ${{ secrets.HD_CI_CREDENTIAL }}
+  run: npx @herodevs/cli@beta scan eol -s
+```
+
+#### GitLab CI (authenticated scan)
+
+Add CI/CD variable `HD_CI_CREDENTIAL` (masked) in your project:
+
+```yaml
+eol-scan:
+  image: node:24
+  variables:
+    HD_CI_CREDENTIAL: $HD_CI_CREDENTIAL
+  script:
+    - npx @herodevs/cli@beta scan eol -s
+  artifacts:
+    paths:
+      - herodevs.report.json
+```
+
 ### Using the Docker Image (Recommended)
 
 We provide a Docker image that's pre-configured to run EOL scans. Based on [`cdxgen`](https://github.com/CycloneDX/cdxgen),

package/dist/api/apollo.client.d.ts

@@ -0,0 +1,3 @@
+import { ApolloClient } from '@apollo/client/core';
+export type TokenProvider = (forceRefresh?: boolean) => Promise<string>;
+export declare const createApollo: (uri: string, tokenProvider?: TokenProvider) => ApolloClient;

package/dist/api/apollo.client.js

@@ -0,0 +1,53 @@
+import { ApolloClient, HttpLink, InMemoryCache } from '@apollo/client/core';
+import { requireAccessTokenForScan } from "../service/auth.svc.js";
+function isTokenEndpoint(input) {
+    let urlString;
+    if (typeof input === 'string') {
+        urlString = input;
+    }
+    else if (input instanceof Request) {
+        urlString = input.url;
+    }
+    else {
+        urlString = input.toString();
+    }
+    try {
+        const url = new URL(urlString);
+        return url.pathname.endsWith('/token');
+    }
+    catch {
+        const pathOnly = urlString.split('?')[0].split('#')[0];
+        return pathOnly.endsWith('/token');
+    }
+}
+const createAuthorizedFetch = (tokenProvider) => async (input, init) => {
+    const headers = new Headers(init?.headers);
+    const token = await tokenProvider();
+    if (token) {
+        headers.set('Authorization', `Bearer ${token}`);
+    }
+    const response = await fetch(input, { ...init, headers });
+    if (response.status === 401 &&
+        !isTokenEndpoint(input) &&
+        (init?.method === 'GET' || init?.method === undefined || init?.method === 'POST')) {
+        const refreshed = await tokenProvider(true);
+        const retryHeaders = new Headers(init?.headers);
+        retryHeaders.set('Authorization', `Bearer ${refreshed}`);
+        return fetch(input, { ...init, headers: retryHeaders });
+    }
+    return response;
+};
+export const createApollo = (uri, tokenProvider = requireAccessTokenForScan) => new ApolloClient({
+    cache: new InMemoryCache(),
+    defaultOptions: {
+        query: { fetchPolicy: 'no-cache', errorPolicy: 'all' },
+        mutate: { errorPolicy: 'all' },
+    },
+    link: new HttpLink({
+        uri,
+        fetch: createAuthorizedFetch(tokenProvider),
+        headers: {
+            'User-Agent': `hdcli/${process.env.npm_package_version ?? 'unknown'}`,
+        },
+    }),
+});

package/dist/api/ci-token.client.d.ts

@@ -0,0 +1,26 @@
+export type IamAccessOrgTokensInput = {
+    orgId: number;
+    previousToken?: never;
+} | {
+    orgId?: never;
+    previousToken: string;
+};
+export interface ProvisionCITokenResponse {
+    refresh_token: string;
+}
+export interface ProvisionCITokenOptions {
+    orgId?: number;
+    previousToken?: string | null;
+}
+export declare function getOrgAccessTokensUnauthenticated(input: IamAccessOrgTokensInput): Promise<{
+    accessToken: string;
+    refreshToken: string;
+}>;
+export interface ExchangeCITokenOptions {
+    refreshToken: string;
+}
+export declare function exchangeCITokenForAccess(options: ExchangeCITokenOptions): Promise<{
+    accessToken: string;
+    refreshToken: string;
+}>;
+export declare function provisionCIToken(options?: ProvisionCITokenOptions): Promise<ProvisionCITokenResponse>;

package/dist/api/ci-token.client.js

@@ -0,0 +1,95 @@
+import { config } from "../config/constants.js";
+import { requireAccessToken } from "../service/auth.svc.js";
+import { debugLogger } from "../service/log.svc.js";
+import { createApollo } from "./apollo.client.js";
+import { ApiError, isApiErrorCode } from "./errors.js";
+import { getOrgAccessTokensMutation } from "./gql-operations.js";
+import { getGraphQLErrors } from "./graphql-errors.js";
+const graphqlUrl = `${config.graphqlHost}${config.graphqlPath}`;
+const noAuthTokenProvider = async () => '';
+function extractErrorCode(errors) {
+    const code = errors[0]?.extensions?.code;
+    if (!code || !isApiErrorCode(code))
+        return;
+    return code;
+}
+async function getOrgAccessTokens(input) {
+    const client = createApollo(graphqlUrl, requireAccessToken);
+    const res = await client.mutate({
+        mutation: getOrgAccessTokensMutation,
+        variables: {
+            input,
+        },
+    });
+    const errors = getGraphQLErrors(res);
+    if (res?.error || errors?.length) {
+        debugLogger('Error returned from getOrgAccessTokens mutation: %o', res.error ?? errors);
+        if (errors?.length) {
+            const code = extractErrorCode(errors);
+            if (code) {
+                throw new ApiError(errors[0].message ?? 'CI token provisioning failed', code);
+            }
+            throw new Error(errors[0].message ?? 'CI token provisioning failed');
+        }
+        const msg = res?.error instanceof Error ? res.error.message : res?.error ? String(res.error) : '';
+        throw new Error(msg || 'CI token provisioning failed');
+    }
+    const tokens = res.data?.iamV2?.access?.getOrgAccessTokens;
+    if (!tokens?.refreshToken || tokens.refreshToken.trim() === '') {
+        throw new Error('CI token provisioning response missing refreshToken');
+    }
+    return {
+        accessToken: tokens.accessToken ?? '',
+        refreshToken: tokens.refreshToken,
+    };
+}
+export async function getOrgAccessTokensUnauthenticated(input) {
+    return callGetOrgAccessTokensInternal(input, noAuthTokenProvider);
+}
+async function callGetOrgAccessTokensInternal(input, tokenProvider) {
+    const client = createApollo(graphqlUrl, tokenProvider);
+    const res = await client.mutate({
+        mutation: getOrgAccessTokensMutation,
+        variables: { input },
+    });
+    const errors = getGraphQLErrors(res);
+    if (res?.error || errors?.length) {
+        debugLogger('Error returned from getOrgAccessTokens mutation: %o', res.error ?? errors);
+        if (errors?.length) {
+            const code = extractErrorCode(errors);
+            if (code) {
+                throw new ApiError(errors[0].message ?? 'CI token refresh failed', code);
+            }
+            throw new Error(errors[0].message ?? 'CI token refresh failed');
+        }
+        const msg = res?.error instanceof Error ? res.error.message : res?.error ? String(res.error) : '';
+        throw new Error(msg || 'CI token refresh failed');
+    }
+    const tokens = res.data?.iamV2?.access?.getOrgAccessTokens;
+    if (!tokens?.accessToken) {
+        throw new Error('getOrgAccessTokens response missing accessToken');
+    }
+    return {
+        accessToken: tokens.accessToken,
+        refreshToken: tokens.refreshToken ?? '',
+    };
+}
+export async function exchangeCITokenForAccess(options) {
+    const { refreshToken } = options;
+    return callGetOrgAccessTokensInternal({ previousToken: refreshToken }, noAuthTokenProvider);
+}
+export async function provisionCIToken(options = {}) {
+    const { orgId, previousToken } = options;
+    let input;
+    if (previousToken != null && previousToken !== '') {
+        input = { previousToken };
+    }
+    else if (orgId != null) {
+        input = { orgId };
+    }
+    else {
+        throw new Error('Either orgId or previousToken is required to provision a CI token');
+    }
+    const result = await getOrgAccessTokens(input);
+    return { refresh_token: result.refreshToken };
+}

package/dist/api/errors.d.ts

@@ -0,0 +1,8 @@
+declare const API_ERROR_CODES: readonly ["SESSION_EXPIRED", "INVALID_TOKEN", "UNAUTHENTICATED", "FORBIDDEN"];
+export type ApiErrorCode = (typeof API_ERROR_CODES)[number];
+export declare class ApiError extends Error {
+    readonly code: ApiErrorCode;
+    constructor(message: string, code: ApiErrorCode);
+}
+export declare function isApiErrorCode(code: string): code is ApiErrorCode;
+export {};

package/dist/api/errors.js

@@ -0,0 +1,13 @@
+const API_ERROR_CODES = ['SESSION_EXPIRED', 'INVALID_TOKEN', 'UNAUTHENTICATED', 'FORBIDDEN'];
+const VALID_API_ERROR_CODES = new Set(API_ERROR_CODES);
+export class ApiError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.name = 'ApiError';
+        this.code = code;
+    }
+}
+export function isApiErrorCode(code) {
+    return VALID_API_ERROR_CODES.has(code);
+}

package/dist/api/gql-operations.d.ts

@@ -1,2 +1,5 @@
 export declare const createReportMutation: import("graphql/language/ast.js").DocumentNode;
 export declare const getEolReportQuery: import("graphql/language/ast.js").DocumentNode;
+export declare const userSetupStatusQuery: import("graphql/language/ast.js").DocumentNode;
+export declare const completeUserSetupMutation: import("graphql/language/ast.js").DocumentNode;
+export declare const getOrgAccessTokensMutation: import("graphql/language/ast.js").DocumentNode;

package/dist/api/gql-operations.js

@@ -1,4 +1,4 @@
-import { gql } from '@apollo/client/core/core.cjs';
+import { gql } from '@apollo/client/core';
 export const createReportMutation = gql `
 mutation createReport($input: CreateEolReportInput) {
   eol {
@@ -20,6 +20,7 @@ query GetEolReport($input: GetEolReportInput) {
       components {
         purl
         metadata
+        dependencySummary
         nesRemediation {
           remediations {
             urls {
@@ -34,3 +35,37 @@ query GetEolReport($input: GetEolReportInput) {
   }
 }
 `;
+export const userSetupStatusQuery = gql `
+query Eol {
+  eol {
+    userSetupStatus {
+      isComplete
+      orgId
+    }
+  }
+}
+`;
+export const completeUserSetupMutation = gql `
+mutation Eol {
+  eol {
+    completeUserSetup {
+      isComplete
+      orgId
+    }
+  }
+}
+`;
+export const getOrgAccessTokensMutation = gql `
+mutation GetOrgAccessTokens(
+  $input: IamAccessOrgTokensInput!
+) {
+  iamV2 {
+    access {
+      getOrgAccessTokens(input: $input) {
+        accessToken
+        refreshToken
+      }
+    }
+  }
+}
+`;

package/dist/api/graphql-errors.d.ts

@@ -0,0 +1,6 @@
+import type { GraphQLFormattedError } from 'graphql';
+export type GraphQLErrorResult = {
+    error?: unknown;
+    errors?: ReadonlyArray<GraphQLFormattedError>;
+};
+export declare function getGraphQLErrors(result: GraphQLErrorResult): ReadonlyArray<GraphQLFormattedError> | undefined;

package/dist/api/graphql-errors.js

@@ -0,0 +1,22 @@
+export function getGraphQLErrors(result) {
+    if (result.errors?.length) {
+        return result.errors;
+    }
+    const error = result.error;
+    if (!error || typeof error !== 'object') {
+        return;
+    }
+    if ('errors' in error) {
+        const errors = error.errors;
+        if (errors?.length) {
+            return errors;
+        }
+    }
+    if ('graphQLErrors' in error) {
+        const errors = error.graphQLErrors;
+        if (errors?.length) {
+            return errors;
+        }
+    }
+    return;
+}

package/dist/api/nes.client.d.ts

@@ -1,6 +1,5 @@
-import { ApolloClient } from '@apollo/client/core/index.js';
 import type { CreateEolReportInput, EolReport } from '@herodevs/eol-shared';
-export declare const createApollo: (uri: string) => ApolloClient<import("@apollo/client/core/index.js").NormalizedCacheObject>;
+import { createApollo } from './apollo.client.ts';
 export declare const SbomScanner: (client: ReturnType<typeof createApollo>) => (input: CreateEolReportInput) => Promise<EolReport>;
 export declare class NesClient {
     startScan: ReturnType<typeof SbomScanner>;

package/dist/api/nes.client.js

@@ -1,29 +1,32 @@
-import { ApolloClient, HttpLink, InMemoryCache } from '@apollo/client/core/index.js';
 import { config } from "../config/constants.js";
 import { debugLogger } from "../service/log.svc.js";
 import { stripTypename } from "../utils/strip-typename.js";
+import { createApollo } from "./apollo.client.js";
+import { ApiError, isApiErrorCode } from "./errors.js";
 import { createReportMutation, getEolReportQuery } from "./gql-operations.js";
-export const createApollo = (uri) => new ApolloClient({
-    cache: new InMemoryCache(),
-    defaultOptions: {
-        query: { fetchPolicy: 'no-cache', errorPolicy: 'all' },
-        mutate: { errorPolicy: 'all' },
-    },
-    link: new HttpLink({
-        uri,
-        headers: {
-            'User-Agent': `hdcli/${process.env.npm_package_version ?? 'unknown'}`,
-        },
-    }),
-});
+import { getGraphQLErrors } from "./graphql-errors.js";
+function extractErrorCode(errors) {
+    const code = errors[0]?.extensions?.code;
+    if (!code || !isApiErrorCode(code))
+        return;
+    return code;
+}
 export const SbomScanner = (client) => {
     return async (input) => {
-        const res = await client.mutate({
+        let res;
+        res = await client.mutate({
             mutation: createReportMutation,
             variables: { input },
         });
-        if (res?.errors?.length) {
-            debugLogger('GraphQL errors in createReport: %o', res.errors);
+        const errors = getGraphQLErrors(res);
+        if (res?.error || errors?.length) {
+            debugLogger('Error returned from createReport mutation: %o', res.error || errors);
+            if (errors?.length) {
+                const code = extractErrorCode(errors);
+                if (code) {
+                    throw new ApiError(errors[0].message, code);
+                }
+            }
             throw new Error('Failed to create EOL report');
         }
         const result = res.data?.eol?.createReport;
@@ -47,10 +50,18 @@ export const SbomScanner = (client) => {
         let reportMetadata = null;
         for (let i = 0; i < pages.length; i += config.concurrentPageRequests) {
             const batch = pages.slice(i, i + config.concurrentPageRequests);
-            const batchResponses = await Promise.all(batch);
+            let batchResponses;
+            batchResponses = await Promise.all(batch);
             for (const response of batchResponses) {
-                if (response?.errors?.length) {
-                    debugLogger('GraphQL errors in getReport query: %o', response.errors);
+                const queryErrors = getGraphQLErrors(response);
+                if (response?.error || queryErrors?.length || !response.data?.eol) {
+                    debugLogger('Error in getReport query response: %o', response?.error ?? queryErrors ?? response);
+                    if (queryErrors?.length) {
+                        const code = extractErrorCode(queryErrors);
+                        if (code) {
+                            throw new ApiError(queryErrors[0].message, code);
+                        }
+                    }
                     throw new Error('Failed to fetch EOL report');
                 }
                 const report = response.data.eol.report;