MCPcopy Index your code
hub / github.com/NodeSecure/scanner

github.com/NodeSecure/scanner @scanner-v6.4.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release scanner-v6.4.0 ↗ · + Follow
254 symbols 726 edges 139 files 2 documented · 1%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

# Nodesecure Scanner

version Maintenance OpenSSF
Scorecard mit build

⚡️ Run a static analysis of your module's dependencies.

Requirements

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/scanner
# or
$ yarn add @nodesecure/scanner

Usage example

import * as scanner from "@nodesecure/scanner";
import fs from "node:fs/promises";

// CONSTANTS
const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];

const payloads = await Promise.all(
  kPackagesToAnalyze.map((name) => scanner.from(name))
);

const promises = [];
for (let i = 0; i < kPackagesToAnalyze.length; i++) {
  const data = JSON.stringify(payloads[i], null, 2);

  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
}
await Promise.allSettled(promises);

API

See types/api.d.ts for a complete TypeScript definition.

function cwd(
  location: string,
  options?: Scanner.Options
): Promise<Scanner.Payload>;
function from(
  packageName: string,
  options?: Omit<Scanner.Options, "includeDevDeps">
): Promise<Scanner.Payload>;
function verify(
  packageName?: string | null
): Promise<tarball.ScannedPackageResult>;

Options is described with the following TypeScript interface:

interface Options {
  /**
   * Maximum tree depth
   *
   * @default Infinity
   */
  readonly maxDepth?: number;

  readonly registry?: string | URL;

  /**
   * Enables the use of Arborist for rapidly walking over the dependency tree.
   * When enabled, it triggers different methods based on the presence of `node_modules`:
   * - `loadActual()` if `node_modules` is available.
   * - `loadVirtual()` otherwise.
   *
   * When disabled, it will iterate on all dependencies by using pacote
   */
  packageLock?: {
    /**
     * Fetches all manifests for additional metadata.
     * This option is useful only when `usePackageLock` is enabled.
     *
     * @default false
     */
    fetchManifest?: boolean;

    /**
     * Specifies the location of the manifest file for Arborist.
     * This is typically the path to the `package.json` file.
     */
    location: string;
  };

  highlight?: {
    contacts: Contact[];
  };

  /**
   * Include project devDependencies (only available for cwd command)
   *
   * @default false
   */
  readonly includeDevDeps?: boolean;

  /**
   * Vulnerability strategy name (npm, snyk, node)
   *
   * @default NONE
   */
  readonly vulnerabilityStrategy?: Vuln.Strategy.Kind;

  /**
   * Analyze root package.
   *
   * @default false for from() API
   * @default true  for cwd()  API
   */
  readonly scanRootNode?: boolean;
}

Additional APIs are available at:

Workspaces

Click on one of the links to access the documentation of the workspace:

name package and link
tarball @nodesecure/tarball
tree-walker @nodesecure/tree-walker
mama @nodesecure/mama
contact @nodesecure/contact
conformance @nodesecure/conformance
npm-types @nodesecure/npm-types
i18n @nodesecure/i18n
rc @nodesecure/rc

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Gentilhomme Gentilhomme 💻 📖 👀 🛡️ 🐛 Tony Gorez Tony Gorez 💻 📖 👀 🐛 Haze Haze 💻 Maksim Balabash Maksim Balabash 💻 Antoine Coulon Antoine Coulon 💻 🛡️ Nicolas Hallaert Nicolas Hallaert 💻 Yefis Yefis 💻
Franck Hallaert Franck Hallaert 💻 Ange TEKEU Ange TEKEU 💻 Vincent Dhennin Vincent Dhennin 💻 Kouadio Fabrice Nguessan Kouadio Fabrice Nguessan 🚧 PierreDemailly PierreDemailly 💻 👀 🐛 ⚠️ Kishore Kishore 💻

License

MIT

Extension points exported contracts — how you extend this code

ProbeExtractor (Interface)
(no doc) [3 implementers]
workspaces/scanner/src/extractors/payload.ts
LocalDependencyTreeLoaderProvider (Interface)
(no doc) [2 implementers]
workspaces/tree-walker/src/npm/LocalDependencyTreeLoader.ts
ContactExtractorPackageMetadata (Interface)
(no doc)
workspaces/contact/src/ContactExtractor.class.ts
DependencyRef (Interface)
(no doc)
workspaces/tarball/src/tarball.ts
RC (Interface)
(no doc)
workspaces/rc/src/rc.ts
Contact (Interface)
(no doc)
workspaces/npm-types/src/index.d.ts
ExtractAsyncOptions (Interface)
(no doc)
workspaces/conformance/src/extract.ts
packageJSONIntegrityHashOptions (Interface)
(no doc)
workspaces/mama/src/utils/integrity-hash.ts

Core symbols most depended-on inside this repo

generateDefaultRC
called by 29
workspaces/rc/src/rc.ts
isGitDependency
called by 17
workspaces/tree-walker/src/utils/isGitDependency.ts
start
called by 15
workspaces/scanner/src/class/logger.class.ts
addFlag
called by 13
workspaces/tree-walker/src/Dependency.class.ts
read
called by 12
workspaces/rc/src/functions/read.ts
memoize
called by 10
workspaces/rc/src/functions/memoize.ts
memoized
called by 10
workspaces/rc/src/functions/memoize.ts
compareContact
called by 9
workspaces/contact/src/utils/compareContact.ts

Shape

Function 103
Interface 68
Method 59
Class 24

Languages

TypeScript100%

Modules by API surface

workspaces/scanner/src/comparePayloads.ts18 symbols
workspaces/tree-walker/src/npm/walker.ts17 symbols
workspaces/mama/src/ManifestManager.class.ts15 symbols
workspaces/scanner/src/extractors/payload.ts12 symbols
workspaces/tree-walker/src/Dependency.class.ts11 symbols
workspaces/npm-types/src/index.d.ts10 symbols
workspaces/tarball/src/utils/analyzeDependencies.ts8 symbols
workspaces/conformance/src/class/LicenseResult.class.ts8 symbols
workspaces/scanner/src/types.ts7 symbols
workspaces/scanner/src/class/logger.class.ts7 symbols
workspaces/i18n/src/index.ts7 symbols
workspaces/contact/src/ContactExtractor.class.ts7 symbols

For agents

$ claude mcp add scanner \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact