https://github.com/nodesecure/scanner

⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine!
https://github.com/nodesecure/scanner

audit nodejs nodesecure sast scanner security

Last synced: 7 days ago
JSON representation

⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine!

Host: GitHub
URL: https://github.com/nodesecure/scanner
Owner: NodeSecure
License: mit
Created: 2021-06-04T09:31:03.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2025-04-01T09:54:26.000Z (10 months ago)
Last Synced: 2025-04-05T23:12:21.874Z (10 months ago)
Topics: audit, nodejs, nodesecure, sast, scanner, security
Language: TypeScript
Homepage:
Size: 1.5 MB
Stars: 32
Watchers: 2
Forks: 14
Open Issues: 11
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md

Awesome Lists containing this project

README

          

![version](https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/scanner/master/workspaces/scanner/package.json&query=$.version&label=Version)

[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/graphs/commit-activity)

[![OpenSSF

Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner/badge?style=for-the-badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner)

[![mit](https://img.shields.io/github/license/NodeSecure/scanner.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)

![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/scanner/node.js.yml?style=for-the-badge)

⚡️ Run a static analysis of your module's dependencies.

## Requirements

- [Node.js](https://nodejs.org/en/) version 22 or higher

## Features

Scanner builds on [JS-X-Ray](https://github.com/NodeSecure/js-x-ray) (SAST) and [Vulnera](https://github.com/NodeSecure/vulnera) (CVE detection), and adds additional detections such as:

- Detects:

  - [Manifest confusion](https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem)

  - [Dependency confusion](https://www.landh.tech/blog/20250610-netflix-vulnerability-dependency-confusion/)

  - Typosquatting of popular package names

  - Install scripts (e.g. `install`, `preinstall`, `postinstall`, `preuninstall`, `postuninstall`)

- Highlights packages by name, version(s), or maintainer

- Supports NPM and Yarn lockfiles

## Getting Started

This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).

```bash

$ npm i @nodesecure/scanner

# or

$ yarn add @nodesecure/scanner

```

## Usage example

```js

import * as scanner from "@nodesecure/scanner";

import fs from "node:fs/promises";

// CONSTANTS

const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];

const payloads = await Promise.all(

  kPackagesToAnalyze.map((name) => scanner.from(name))

);

const promises = [];

for (let i = 0; i < kPackagesToAnalyze.length; i++) {

  const data = JSON.stringify(payloads[i], null, 2);

  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));

}

await Promise.allSettled(promises);

```

## API

See [types.ts](https://github.com/NodeSecure/scanner/blob/master/workspaces/scanner/src/types.ts) for a complete TypeScript definition.

```ts

function workingDir(

  location: string,

  options?: Scanner.WorkingDirOptions,

  logger?: Scanner.Logger

): Promise;

function from(

  packageName: string,

  options?: Scanner.FromOptions,

  logger?: Scanner.Logger

): Promise;

function verify(

  packageName?: string

): Promise;

```

`WorkingDirOptions` and `FromOptions` are described with the following TypeScript interfaces:

```ts

type WorkingDirOptions = Options & {

  /**

   * NPM runtime configuration (such as local .npmrc file)

   * It is optionally used to fetch registry authentication tokens

   */

  npmRcConfig?: Config;

};

type FromOptions = Omit;

interface Options {

  /**

   * Specifies the maximum depth to traverse for each root dependency.

   * A value of 2 would mean only traversing deps and their immediate deps.

   *

   * @default Infinity

   */

  maxDepth?: number;

  /**

   * Includes development dependencies in the walk.

   * Note that enabling this option can significantly increase I/O and processing time.

   *

   * @default false

   */

  includeDevDeps?: boolean;

  readonly registry?: string | URL;

  /**

   * Enables the use of Arborist for rapidly walking over the dependency tree.

   * When enabled, it triggers different methods based on the presence of `node_modules`:

   * - `loadActual()` if `node_modules` is available.

   * - `loadVirtual()` otherwise.

   *

   * When disabled, it will iterate on all dependencies by using pacote

   */

  packageLock?: {

    /**

     * Fetches all manifests for additional metadata.

     *

     * @default false

     */

    fetchManifest?: boolean;

    /**

     * Specifies the location of the manifest file for Arborist.

     * This is typically the path to the `package.json` file.

     */

    location: string;

  };

  highlight?: {

    contacts: Contact[];

  };

  /**

   * Vulnerability strategy name (npm, snyk, node)

   *

   * @default NONE

   */

  readonly vulnerabilityStrategy?: Vuln.Strategy.Kind;

  /**

   * Analyze root package.

   *

   * @default false for from() API

   * @default true  for cwd()  API

   */

  readonly scanRootNode?: boolean;

}

```

Additional APIs are available at:

- [from](./workspaces/scanner/docs/from.md)

- [extractors](./workspaces/scanner/docs/extractors.md)

## Workspaces

Click on one of the links to access the documentation of the workspace:

| name | package and link |

| --- | --- |

| tarball | [@nodesecure/tarball](./workspaces/tarball) |

| tree-walker | [@nodesecure/tree-walker](./workspaces/tree-walker) |

| flags | [@nodesecure/flags](./workspaces/flags) |

| mama | [@nodesecure/mama](./workspaces/mama) |

| contact | [@nodesecure/contact](./workspaces/contact) |

| conformance | [@nodesecure/conformance](./workspaces/conformance) |

| npm-types | [@nodesecure/npm-types](./workspaces/npm-types) |

| i18n | [@nodesecure/i18n](./workspaces/i18n) |

| rc | [@nodesecure/rc](./workspaces/rc) |

| utils | [@nodesecure/utils](./workspaces/utils) |

| fs-walk | [@nodesecure/fs-walk](./workspaces/fs-walk) |

| github | [@nodesecure/github](./workspaces/github) |

| gitlab | [@nodesecure/gitlab](./workspaces/gitlab) |

## Contributors ✨

[![All Contributors](https://img.shields.io/badge/all_contributors-31-orange.svg?style=flat-square)](#contributors-)

Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):

  

    

      
_Gentilhomme
💻 📖 👀 🛡️ 🐛

      
_{Tony Gorez}
💻 📖 👀 🐛

      
_Haze
💻

      
_{Maksim Balabash}
💻 🐛

      
_{Antoine Coulon}
💻 🐛 👀 🚧 🛡️

      
_{Nicolas Hallaert}
💻

      
_Yefis
💻

    

    

      
_{Franck Hallaert}
💻

      
_{Ange TEKEU}
💻

      
_{Vincent Dhennin}
💻 📖 👀 🐛

      
_{Kouadio Fabrice Nguessan}
🚧

      
_{PierreDemailly}
💻 👀 🐛 ⚠️

      
_Kishore
💻 📖

      
_{Clement Gombauld}
💻

    

    

      
_Ajāy
💻 📖

      
_{Nicolas Hallaert}
📖

      
_Maxime
⚠️

      
_{Ange TEKEU}
💻

      
_{Alexandre Malaj}
💻 📖 🌍

      
_FredGuiou
🚧

      
_{Christian Lisangola}
⚠️

    

    

      
_{Quentin Lepateley}
📖

      
_{Antoine Neff}
🌍

      
_{Kévin VOYER}
🌍

      
_Mathieu
💻 🌍

      
_{im_codebreaker}
💻 📖 🎨

      
_{Ayushmaan Shrotriya}
📖

      
_{Inès & Mélu}
📖

    

    

      
_zwOk9
⚠️

      
_{Pierre Martin}
📖

      
_{Hamed Mohamed}
💻

    

  

## License

MIT

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/nodesecure/scanner

Awesome Lists containing this project

README