Â
Beautiful Security & License Compliance Reports For Your App's Dependencies 🪱
- Free & open source command-line tool
- Works with any modern JavaScript package manager
- Scans your project & dependencies for vulnerabilities, license, and misc issues
- Supports marking issues as resolved
- Supports custom license policies
- Configurable fail conditions for CI / GIT hook workflows
- Outputs:
- JSON issue & license usage reports
- Easy to grok SVG dependency tree & treemap visualizations
- Powered by D3
- Overlays security vulnerabilities
- Overlays package license info
- CSV of all dependencies & license info
{
"createdAt": "...",
"packageManager": "...",
"name": "...",
"version": "...",
"rootVulnerabilities": [...],
"dependencyVulnerabilities": [...],
"licenseUsage": {...},
"licenseIssues": [...],
"metaIssues": [...],
"errors": [...],
}- Have a support question? Post it here.
- Have a feature request? Post it here.
- Did you find a security issue? See SECURITY.md.
- Did you find a bug? Post an issue.
- Want to write some code? See CONTRIBUTING.md.
Note Sandworm Audit requires Node 14.19+.
Note When using npm, Sandworm Audit supports lockfile versions 2 and 3 (npm 7+).
Install sandworm-audit globally via your favorite package manager:
npm install -g @sandworm/audit
# or yarn global add @sandworm/audit
# or pnpm add -g @sandworm/auditThen, run sandworm-audit (or run directly without installing via npx @sandworm/audit@latest) in the root directory of your application. Make sure there's a manifest and a lockfile.
Available options:
Options:
-v, --version Show version number [boolean]
--help Show help [boolean]
-o, --output-path The path of the output directory, relative to the
application path [string] [default: "sandworm"]
-d, --include-dev Include dev dependencies[boolean] [default: false]
--sv, --show-versions Show package versions in chart names
[boolean] [default: false]
-p, --path The path to the application to audit [string]
--md, --max-depth Max depth to represent in charts [number]
--ms, --min-severity Min issue severity to represent in charts [string]
--lp, --license-policy Custom license policy JSON string [string]
-f, --from Load data from "registry" or "disk"
[string] [default: "registry"]
--fo, --fail-on Fail policy JSON string [string] [default: "[]"]
-s, --summary Print a summary of the audit results to the
console [boolean] [default: true]