Sandworm Audit is a free and open source command-line tool designed to scan your project and dependencies for security vulnerabilities, license compliance issues, and other metadata problems.
It is powered by D3 and puts security vulnerabilities and package license information into nice looking charts. Additionally, it supports configurable conditions to fail CI/GIT hook workflows, making it a powerful tool for maintaining the security and license compliance of your application on commits or pushes.
To get started, install Sandworm Audit globally via your favorite package manager and run it in the root directory of your application.
After that you can run it in any directory with a package.json file.
The output will be something like this (if you are lucky and no issues are identified):
After this step you will find a
sandworm directory in your project root. This directory contains not only CSV and JSON-reports, but also a nice looking dependency tree and treemap chart in the SVG format.
Read the documentation for more information on how to use and configure Sandworm Audit.
Note: Currently, the audit might fail with an “out of memory” error on large projects, depending on your hardware setup. There is an issue report open about this.
This post is part of #100DaysToOffload 51 posts since Feb 14, 2023 — 91 total posts