https://github.com/nodesecure/scanner

⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine!
https://github.com/nodesecure/scanner

audit nodejs nodesecure sast scanner security

Last synced: 6 months ago
JSON representation

⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine!

Host: GitHub
URL: https://github.com/nodesecure/scanner
Owner: NodeSecure
License: mit
Created: 2021-06-04T09:31:03.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2025-04-01T09:54:26.000Z (6 months ago)
Last Synced: 2025-04-05T23:12:21.874Z (6 months ago)
Topics: audit, nodejs, nodesecure, sast, scanner, security
Language: TypeScript
Homepage:
Size: 1.5 MB
Stars: 32
Watchers: 2
Forks: 14
Open Issues: 11
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md

Awesome Lists containing this project

README

          

![version](https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/scanner/master/workspaces/scanner/package.json&query=$.version&label=Version)

[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/graphs/commit-activity)

[![OpenSSF

Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner/badge?style=for-the-badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner)

[![mit](https://img.shields.io/github/license/NodeSecure/scanner.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)

![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/scanner/node.js.yml?style=for-the-badge)

⚡️ Run a static analysis of your module's dependencies.

## Requirements

- [Node.js](https://nodejs.org/en/) version 20 or higher

## Getting Started

This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).

```bash

$ npm i @nodesecure/scanner

# or

$ yarn add @nodesecure/scanner

```

## Usage example

```js

import * as scanner from "@nodesecure/scanner";

import fs from "node:fs/promises";

// CONSTANTS

const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];

const payloads = await Promise.all(

  kPackagesToAnalyze.map((name) => scanner.from(name))

);

const promises = [];

for (let i = 0; i < kPackagesToAnalyze.length; i++) {

  const data = JSON.stringify(payloads[i], null, 2);

  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));

}

await Promise.allSettled(promises);

```

## API

See `types/api.d.ts` for a complete TypeScript definition.

```ts

function cwd(

  location: string,

  options?: Scanner.Options

): Promise;

function from(

  packageName: string,

  options?: Omit

): Promise;

function verify(

  packageName?: string | null

): Promise;

```

`Options` is described with the following TypeScript interface:

```ts

interface Options {

  /**

   * Maximum tree depth

   *

   * @default Infinity

   */

  readonly maxDepth?: number;

  readonly registry?: string | URL;

  /**

   * Enables the use of Arborist for rapidly walking over the dependency tree.

   * When enabled, it triggers different methods based on the presence of `node_modules`:

   * - `loadActual()` if `node_modules` is available.

   * - `loadVirtual()` otherwise.

   *

   * When disabled, it will iterate on all dependencies by using pacote

   */

  packageLock?: {

    /**

     * Fetches all manifests for additional metadata.

     * This option is useful only when `usePackageLock` is enabled.

     *

     * @default false

     */

    fetchManifest?: boolean;

    /**

     * Specifies the location of the manifest file for Arborist.

     * This is typically the path to the `package.json` file.

     */

    location: string;

  };

  highlight?: {

    contacts: Contact[];

  };

  /**

   * Include project devDependencies (only available for cwd command)

   *

   * @default false

   */

  readonly includeDevDeps?: boolean;

  /**

   * Vulnerability strategy name (npm, snyk, node)

   *

   * @default NONE

   */

  readonly vulnerabilityStrategy?: Vuln.Strategy.Kind;

  /**

   * Analyze root package.

   *

   * @default false for from() API

   * @default true  for cwd()  API

   */

  readonly scanRootNode?: boolean;

}

```

## Workspaces

Click on one of the links to access the documentation of the workspace:

| name | package and link |

| --- | --- |

| tarball | [@nodesecure/tarball](./workspaces/tarball) |

| tree-walker | [@nodesecure/tree-walker](./workspaces/tree-walker) |

| mama | [@nodesecure/mama](./workspaces/mama) |

| contact | [@nodesecure/contact](./workspaces/contact) |

| conformance | [@nodesecure/conformance](./workspaces/conformance) |

| npm-types | [@nodesecure/npm-types](./workspaces/npm-types) |

| i18n | [@nodesecure/i18n](./workspaces/i18n) |

| rc | [@nodesecure/rc](./workspaces/rc) |

## Contributors ✨

[![All Contributors](https://img.shields.io/badge/all_contributors-13-orange.svg?style=flat-square)](#contributors-)

Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):

  

    

      
_Gentilhomme
💻 📖 👀 🛡️ 🐛

      
_{Tony Gorez}
💻 📖 👀 🐛

      
_Haze
💻

      
_{Maksim Balabash}
💻

      
_{Antoine Coulon}
💻 🛡️

      
_{Nicolas Hallaert}
💻

      
_Yefis
💻

    

    

      
_{Franck Hallaert}
💻

      
_{Ange TEKEU}
💻

      
_{Vincent Dhennin}
💻

      
_{Kouadio Fabrice Nguessan}
🚧

      
_{PierreDemailly}
💻 👀 🐛 ⚠️

      
_Kishore
💻

    

  

## License

MIT

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/nodesecure/scanner

Awesome Lists containing this project

README