https://github.com/nodesecure/scanner
⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine!
https://github.com/nodesecure/scanner
audit nodejs nodesecure sast scanner security
Last synced: 6 days ago
JSON representation
⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine!
- Host: GitHub
- URL: https://github.com/nodesecure/scanner
- Owner: NodeSecure
- License: mit
- Created: 2021-06-04T09:31:03.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2025-04-01T09:54:26.000Z (about 1 year ago)
- Last Synced: 2025-04-05T23:12:21.874Z (about 1 year ago)
- Topics: audit, nodejs, nodesecure, sast, scanner, security
- Language: TypeScript
- Homepage:
- Size: 1.5 MB
- Stars: 32
- Watchers: 2
- Forks: 14
- Open Issues: 11
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
⚡️ Run a static analysis of your module's dependencies.
## 💡 Features
Scanner builds on [JS-X-Ray](https://github.com/NodeSecure/js-x-ray) (SAST) and [Vulnera](https://github.com/NodeSecure/vulnera) (CVE detection), and adds additional detections such as:
- Detects:
- [Manifest confusion](https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem)
- [Dependency confusion](https://www.landh.tech/blog/20250610-netflix-vulnerability-dependency-confusion/)
- Typosquatting of popular package names
- Install scripts (e.g. `install`, `preinstall`, `postinstall`, `preuninstall`, `postuninstall`)
- Highlights packages by name, version(s), or maintainer
- Highlights infrastructure components such as ip, hostname, email, url
- Supports NPM and Yarn lockfiles
## 💃 Getting Started
```bash
$ npm i @nodesecure/scanner
# or
$ yarn add @nodesecure/scanner
```
For full API documentation, options, and usage examples, see the [@nodesecure/scanner package README](./workspaces/scanner/README.md).
## Workspaces
- [@nodesecure/scanner](./workspaces/scanner)
- [@nodesecure/tarball](./workspaces/tarball)
- [@nodesecure/tree-walker](./workspaces/tree-walker)
- [@nodesecure/flags](./workspaces/flags)
- [@nodesecure/mama](./workspaces/mama)
- [@nodesecure/contact](./workspaces/contact)
- [@nodesecure/conformance](./workspaces/conformance)
- [@nodesecure/npm-types](./workspaces/npm-types)
- [@nodesecure/i18n](./workspaces/i18n)
- [@nodesecure/rc](./workspaces/rc)
- [@nodesecure/utils](./workspaces/utils)
- [@nodesecure/fs-walk](./workspaces/fs-walk)
- [@nodesecure/github](./workspaces/github)
- [@nodesecure/gitlab](./workspaces/gitlab)
## 🐥 Contributors guide
If you are a developer **looking to contribute** to the project, you must first read the [CONTRIBUTING](./CONTRIBUTING.md) guide.
Once you have finished your development, check that the tests (and linter) are still good by running the following script:
```bash
$ npm run check
```
> [!CAUTION]
> In case you introduce a new feature or fix a bug, make sure to include tests for it as well.
## Contributors ✨
[](#contributors-)
Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
Gentilhomme
💻 📖 👀 🛡️ 🐛
Tony Gorez
💻 📖 👀 🐛
Haze
💻
Maksim Balabash
💻 🐛
Antoine Coulon
💻 🐛 👀 🚧 🛡️
Nicolas Hallaert
💻
Yefis
💻
Franck Hallaert
💻
Ange TEKEU
💻
Vincent Dhennin
💻 📖 👀 🐛
Kouadio Fabrice Nguessan
🚧
PierreDemailly
💻 👀 🐛 ⚠️
Kishore
💻 📖
Clement Gombauld
💻
Ajāy
💻 📖
Nicolas Hallaert
📖
Maxime
⚠️
Ange TEKEU
💻
Alexandre Malaj
💻 📖 🌍
FredGuiou
🚧
Christian Lisangola
⚠️
Quentin Lepateley
📖
Antoine Neff
🌍
Kévin VOYER
🌍
Mathieu
💻 🌍
im_codebreaker
💻 📖 🎨
Ayushmaan Shrotriya
📖
Inès & Mélu
📖
zwOk9
⚠️
Pierre Martin
📖
Hamed Mohamed
💻
## License
MIT