Skip to content

NodeSecure/cli

Repository files navigation

npm version license ossf scorecard slsa level3 github ci workflow codecov

A Node.js tool that performs a static and deep analysis of a package's dependency tree: AST-based scanning for malicious or unsafe patterns, npm registry metadata, license conformance, vulnerability aggregation (GitHub Advisory, Sonatype, Snyk) and OpenSSF Scorecard, all rendered through an interactive dependency graph.

πŸ’ƒ Getting Started

$ npm install @nodesecure/cli -g
$ nsecure auto express

This repository is a monorepo. The @nodesecure/cli package, along with its full feature list, command documentation, configuration and FAQ, lives in the workspaces/cli workspace β€” head there for everything about installing and using the CLI.

πŸ“¦ Workspaces

name package and link
cli @nodesecure/cli
documentation-ui @nodesecure/documentation-ui
vis-network @nodesecure/vis-network
size-satisfies @nodesecure/size-satisfies
server @nodesecure/server
cache @nodesecure/cache

These packages are available in the Node Package Repository and can be easily installed with npm or yarn, for example:

$ npm i @nodesecure/documentation-ui
# or
$ yarn add @nodesecure/documentation-ui

πŸ™ Contributing

If you are a developer looking to contribute to the project, please first read our CONTRIBUTING guide (Code of Conduct, first-contributor guide, Developer's Certificate of Origin, Discord).

Local Setup

$ git clone https://github.com/NodeSecure/cli.git
$ cd cli

$ npm install
# bundle/compile front-end assets for every workspace
$ npm run build

Important

Restart npm run build when modifying files under a workspace's public/front-end assets folder.

Once you have finished your development, check that the tests (and linter) are still good by running the following script:

$ npm test

Caution

If you add a feature, try adding tests for it along.

Publishing package and SLSA

The @nodesecure/cli package is published on NPM with provenance, ensuring that this project is compliant with SLSA Level 3 standards. The build and publication process is managed through the GitHub npm-provenance.yml workflow, which is automatically triggered upon the creation of a new release.

To create a local version of the package using npm and Git, follow these commands:

$ npm version [patch | minor | major]
$ git commit -am "chore: x.x.x"
$ git push origin master --tags

These commands will increment the package version, commit the changes, and push them along with the tags to the repository.

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Haze
Haze

πŸ’» 🎨
fraxken
fraxken

πŸ’» πŸ› πŸ“ ⚠️ πŸ“– 🎨
Xavier Stouder
Xavier Stouder

πŸ’» 🎨 πŸ“–
Tony Gorez
Tony Gorez

πŸ’» πŸ“– πŸ‘€
abdellah-housni
abdellah-housni

πŸ›
Vincent Dhennin
Vincent Dhennin

πŸ’» πŸ›
halcin
halcin

πŸ’»
Ange TEKEU
Ange TEKEU

πŸ’»
PierreDemailly
PierreDemailly

πŸ’»
Inès & Mélusine LUJAN-ALVAREZ
Inès & Mélusine LUJAN-ALVAREZ

πŸ’»
Yefis
Yefis

πŸ’»
Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan

🚧
Kishore
Kishore

πŸ’»
FredGuiou
FredGuiou

πŸ’»
ZakariaEttani
ZakariaEttani

πŸ’»
Foucart Julien
Foucart Julien

πŸ“–
Dafyh
Dafyh

⚠️
Clement Gombauld
Clement Gombauld

πŸ’»
Mark MALAJ
Mark MALAJ

πŸ›
Younes Iddahamou Idrissi
Younes Iddahamou Idrissi

πŸ’»
zeearth
zeearth

πŸ’»

This project follows the all-contributors specification. Contributions of any kind welcome!

License

MIT

About

JavaScript security CLI that allow you to deeply analyze the dependency tree of a given package or local Node.js project.

Resources

License

Contributing

Security policy

Stars

385 stars

Watchers

6 watching

Forks

Contributors