Skip to content

NodeSecure/cli

Repository files navigation

npm version license ossf scorecard slsa level3 github ci workflow codecov

NodeSecure is a Node.js CLI (nsecure) that performs a static and deep analysis of a package's dependency tree: AST-based scanning for malicious or unsafe patterns, npm registry metadata, license conformance, vulnerability aggregation (GitHub Advisory, Sonatype, Snyk) and OpenSSF Scorecard, all rendered through an interactive dependency graph with a PDF report generator.

πŸ’ƒ Getting Started

$ npm install @nodesecure/cli -g
$ nsecure auto express

This repository is a monorepo. The @nodesecure/cli package, along with its full feature list, command documentation, configuration and FAQ, lives in the workspaces/cli workspace β€” head there for everything about installing and using the CLI.

πŸ“¦ Workspaces

name package and link
cli @nodesecure/cli
documentation-ui @nodesecure/documentation-ui
vis-network @nodesecure/vis-network
size-satisfies @nodesecure/size-satisfies
server @nodesecure/server
cache @nodesecure/cache

These packages are available in the Node Package Repository and can be easily installed with npm or yarn, for example:

$ npm i @nodesecure/documentation-ui
# or
$ yarn add @nodesecure/documentation-ui

πŸ™ Contributing

If you are a developer looking to contribute to the project, please first read our CONTRIBUTING guide (Code of Conduct, first-contributor guide, Developer's Certificate of Origin, Discord).

Local Setup

$ git clone https://github.com/NodeSecure/cli.git
$ cd cli

$ npm install
# bundle/compile front-end assets for every workspace
$ npm run build

Important

Restart npm run build when modifying files under a workspace's public/front-end assets folder.

Once you have finished your development, check that the tests (and linter) are still good by running the following script:

$ npm test

Caution

If you add a feature, try adding tests for it along.

Publishing package and SLSA

The @nodesecure/cli package is published on NPM with provenance, ensuring that this project is compliant with SLSA Level 3 standards. The build and publication process is managed through the GitHub npm-provenance.yml workflow, which is automatically triggered upon the creation of a new release.

To create a local version of the package using npm and Git, follow these commands:

$ npm version [patch | minor | major]
$ git commit -am "chore: x.x.x"
$ git push origin master --tags

These commands will increment the package version, commit the changes, and push them along with the tags to the repository.

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Haze
Haze

πŸ’» 🎨
fraxken
fraxken

πŸ’» πŸ› πŸ“ ⚠️ πŸ“– 🎨
Xavier Stouder
Xavier Stouder

πŸ’» 🎨 πŸ“–
Tony Gorez
Tony Gorez

πŸ’» πŸ“– πŸ‘€
abdellah-housni
abdellah-housni

πŸ›
Vincent Dhennin
Vincent Dhennin

πŸ’» πŸ›
halcin
halcin

πŸ’»
Ange TEKEU
Ange TEKEU

πŸ’»
PierreDemailly
PierreDemailly

πŸ’»
Inès & Mélusine LUJAN-ALVAREZ
Inès & Mélusine LUJAN-ALVAREZ

πŸ’»
Yefis
Yefis

πŸ’»
Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan

🚧
Kishore
Kishore

πŸ’»
FredGuiou
FredGuiou

πŸ’»
ZakariaEttani
ZakariaEttani

πŸ’»
Foucart Julien
Foucart Julien

πŸ“–
Dafyh
Dafyh

⚠️
Clement Gombauld
Clement Gombauld

πŸ’»
Mark MALAJ
Mark MALAJ

πŸ›
Younes Iddahamou Idrissi
Younes Iddahamou Idrissi

πŸ’»
zeearth
zeearth

πŸ’»

This project follows the all-contributors specification. Contributions of any kind welcome!

License

MIT

About

JavaScript security CLI that allow you to deeply analyze the dependency tree of a given package or local Node.js project.

Resources

License

Contributing

Security policy

Stars

385 stars

Watchers

6 watching

Forks

Contributors