Skip to content

Latest commit

 

History

History
186 lines (150 loc) · 10.4 KB

README.md

File metadata and controls

186 lines (150 loc) · 10.4 KB

# Nodesecure Scanner

version Maintenance OpenSSF Scorecard mit build

⚡️ Run a static analysis of your module's dependencies.

Requirements

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/scanner
# or
$ yarn add @nodesecure/scanner

Usage example

import * as scanner from "@nodesecure/scanner";
import fs from "node:fs/promises";

// CONSTANTS
const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];

const payloads = await Promise.all(
  kPackagesToAnalyze.map((name) => scanner.from(name))
);

const promises = [];
for (let i = 0; i < kPackagesToAnalyze.length; i++) {
  const data = JSON.stringify(payloads[i], null, 2);

  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
}
await Promise.allSettled(promises);

API

See types/api.d.ts for a complete TypeScript definition.

function cwd(
  location: string,
  options?: Scanner.Options
): Promise<Scanner.Payload>;
function from(
  packageName: string,
  options?: Omit<Scanner.Options, "includeDevDeps">
): Promise<Scanner.Payload>;
function verify(
  packageName?: string | null
): Promise<tarball.ScannedPackageResult>;

Options is described with the following TypeScript interface:

interface Options {
  /**
   * Maximum tree depth
   *
   * @default Infinity
   */
  readonly maxDepth?: number;

  readonly registry?: string | URL;

  /**
   * Enables the use of Arborist for rapidly walking over the dependency tree.
   * When enabled, it triggers different methods based on the presence of `node_modules`:
   * - `loadActual()` if `node_modules` is available.
   * - `loadVirtual()` otherwise.
   *
   * When disabled, it will iterate on all dependencies by using pacote
   */
  packageLock?: {
    /**
     * Fetches all manifests for additional metadata.
     * This option is useful only when `usePackageLock` is enabled.
     *
     * @default false
     */
    fetchManifest?: boolean;

    /**
     * Specifies the location of the manifest file for Arborist.
     * This is typically the path to the `package.json` file.
     */
    location: string;
  };

  highlight?: {
    contacts: Contact[];
  };

  /**
   * Include project devDependencies (only available for cwd command)
   *
   * @default false
   */
  readonly includeDevDeps?: boolean;

  /**
   * Vulnerability strategy name (npm, snyk, node)
   *
   * @default NONE
   */
  readonly vulnerabilityStrategy?: Vuln.Strategy.Kind;

  /**
   * Analyze root package.
   *
   * @default false for from() API
   * @default true  for cwd()  API
   */
  readonly scanRootNode?: boolean;
}

Workspaces

Click on one of the links to access the documentation of the workspace:

name package and link
tarball @nodesecure/tarball
tree-walker @nodesecure/tree-walker
mama @nodesecure/mama
contact @nodesecure/contact
conformance @nodesecure/conformance
npm-types @nodesecure/npm-types
i18n @nodesecure/i18n
rc @nodesecure/rc

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Gentilhomme
Gentilhomme

💻 📖 👀 🛡️ 🐛
Tony Gorez
Tony Gorez

💻 📖 👀 🐛
Haze
Haze

💻
Maksim Balabash
Maksim Balabash

💻
Antoine Coulon
Antoine Coulon

💻 🛡️
Nicolas Hallaert
Nicolas Hallaert

💻
Yefis
Yefis

💻
Franck Hallaert
Franck Hallaert

💻
Ange TEKEU
Ange TEKEU

💻
Vincent Dhennin
Vincent Dhennin

💻
Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan

🚧
PierreDemailly
PierreDemailly

💻 👀 🐛 ⚠️
Kishore
Kishore

💻

License

MIT