Sandworm

Security & License Compliance For Your App's Dependencies

Security
sandworm-hq/sandworm-auditsandworm.dev@sandworm/audit

README

Sandworm Audit

 


Beautiful Security & License Compliance Reports For Your App's Dependencies 🪱

Summary


- Free & open source command-line tool
- Works with any modern JavaScript package manager
- Scans your project & dependencies for vulnerabilities, license, and misc issues
- Supports marking issues as resolved
- Supports custom license policies
- Configurable fail conditions for CI / GIT hook workflows
- Outputs:
  - JSON issue & license usage reports
  - Easy to grok SVG dependency tree & treemap visualizations
    - Powered by D3
    - Overlays security vulnerabilities
    - Overlays package license info
  - CSV of all dependencies & license info

Generate a report


Running Sandworm Audit

Navigate charts


Sandworm treemap and tree dependency charts

CSV output


Sandworm dependency CSV

JSON output


  1. ```json
  2. {
  3.   "createdAt": "...",
  4.   "packageManager": "...",
  5.   "name": "...",
  6.   "version": "...",
  7.   "rootVulnerabilities": [...],
  8.   "dependencyVulnerabilities": [...],
  9.   "licenseUsage": {...},
  10.   "licenseIssues": [...],
  11.   "metaIssues": [...],
  12.   "errors": [...],
  13. }
  14. ```

Marking issues as resolved

Get Involved


- Have a support question? Post it here.
- Have a feature request? Post it here.
- Did you find a security issue? See SECURITY.md.
- Did you find a bug? Post an issue.
- Want to write some code? See CONTRIBUTING.md.

Get Started


Note

Sandworm Audit requires Node 14.19+.


Note

When using npm, Sandworm Audit supports lockfile versions 2 and 3 (npm 7+).


Install sandworm-audit globally via your favorite package manager:

  1. ```bash
  2. npm install -g @sandworm/audit
  3. # or yarn global add @sandworm/audit
  4. # or pnpm add -g @sandworm/audit
  5. ```

Then, run sandworm-audit (or run directly without installing via npx @sandworm/audit@latest) in the root directory of your application. Make sure there's a manifest and a lockfile.

Available options:

  1. ```
  2. Options:
  3.   -v, --version               Show version number                      [boolean]
  4.       --help                  Show help                                [boolean]
  5.   -o, --output-path           The path of the output directory, relative to the
  6.                               application path    [string] [default: "sandworm"]
  7.   -d, --include-dev           Include dev dependencies[boolean] [default: false]
  8.       --sv, --show-versions   Show package versions in chart names
  9.                                                       [boolean] [default: false]
  10.   -p, --path                  The path to the application to audit      [string]
  11.       --md, --max-depth       Max depth to represent in charts          [number]
  12.       --ms, --min-severity    Min issue severity to represent in charts [string]
  13.       --lp, --license-policy  Custom license policy JSON string         [string]
  14.   -f, --from                  Load data from "registry" or "disk"
  15.                                                   [string] [default: "registry"]
  16.       --fo, --fail-on         Fail policy JSON string   [string] [default: "[]"]
  17.   -s, --summary               Print a summary of the audit results to the
  18.                               console                  [boolean] [default: true]
  19. ```

Documentation


Read the full docs here.


Samples on Sandworm.dev


- Apollo Client
- AWS SDK
- Express
- Mocha
- Mongoose
- Nest.js
- Redis