https://github.com/einride/csp-evaluator-cli
A command line tool to validate Content-Security-Policy rules
https://github.com/einride/csp-evaluator-cli
cli content-security-policy einride
Last synced: 12 months ago
JSON representation
A command line tool to validate Content-Security-Policy rules
- Host: GitHub
- URL: https://github.com/einride/csp-evaluator-cli
- Owner: einride
- License: mit
- Created: 2024-09-02T08:50:40.000Z (almost 2 years ago)
- Default Branch: master
- Last Pushed: 2025-06-27T05:10:24.000Z (about 1 year ago)
- Last Synced: 2025-06-27T06:21:23.278Z (about 1 year ago)
- Topics: cli, content-security-policy, einride
- Language: JavaScript
- Homepage:
- Size: 1.14 MB
- Stars: 4
- Watchers: 4
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# csp-evaluator-cli
A command line tool that wraps [csp-evaluator].
## Installation
```
$ npm install -g @einride/csp-evaluator-cli
```
## Usage
CLI interface strives to mimic [CSP Evaluator online tool]. It takes Content Security Policy as a string,
and outputs findings based on that into stdout.
### Output format
There are three supported output formats:
1. **human** (default)
Mimics [CSP Evaluator online tool] output.
```
> csp validate "script-src https://google.com"
! Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
script-src:
? https://google.com: No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
```
2. **json**
JSON is passed as is from [csp-evaluator] output.
```
> csp validate --output-format=json "script-src https://google.com"
[{"type":300,"description":"Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?","severity":10,"directive":"object-src"},{"type":305,"description":"No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.","severity":50,"directive":"script-src","value":"https://google.com"}]
```
3. **json-pretty**
Same as **json**, but with indentations.
```
> csp validate --output-format=json-pretty "script-src https://google.com"
[
{
"type": 300,
"description": "Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?",
"severity": 10,
"directive": "object-src"
},
{
"type": 305,
"description": "No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.",
"severity": 50,
"directive": "script-src",
"value": "https://google.com"
}
]
```
### Exit codes
Exit code is always 0, except for a case when a policy contains syntax errors.
```
> csp validate "script https://google.com"
! Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
! script-src directive is missing.
x Directive "script" is not a known CSP directive.
> $?
> 1
```
### Input
1. As an argument
```
> csp validate "script-src https://google.com"
```
2. From stdin
```
> echo "script-src https://google.com" | csp validate -
```
3. From a file
```
> echo "script-src https://google.com" > policy.txt
> csp validate policy.txt
```
## Contribute
See [Contributing Guide](./CONTRIBUTING.md).
## Security Policy
See [Security Policy](./SECURITY.md).
## License
[MIT](./LICENSE)
[csp evaluator online tool]: https://csp-evaluator.withgoogle.com/
[csp-evaluator]: https://github.com/google/csp-evaluator