Skip to content
/ depScanner Public

depScanner: A fast and lightweight CLI tool built with Rust to scan npm, Yarn, pnpm, and Bun lock files for vulnerabilities. Simple, secure, and efficient. ๐Ÿš€

License

MIT license
12 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rasapp/depScanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

6 Commits
src
src
ย 
ย 
.dockerignore
.dockerignore
ย 
ย 
.gitignore
.gitignore
ย 
ย 
Cargo.lock
Cargo.lock
ย 
ย 
Cargo.toml
Cargo.toml
ย 
ย 
Dockerfile
Dockerfile
ย 
ย 
LICENSE
LICENSE
ย 
ย 
README.md
README.md
ย 
ย 

Repository files navigation

depScanner

depScanner is a lightweight and efficient dependency scanner tool that analyzes lock files (e.g., package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lockb) and package.json for vulnerabilities. Built with Rust, it helps developers ensure their dependencies are secure and up-to-date.

Features

  • Scans lock files for exact dependency versions.
  • Supports multiple formats:
    • package-lock.json
    • yarn.lock
    • pnpm-lock.yaml
    • bun.lockb
    • Fallback to package.json.
  • Identifies known vulnerabilities using public advisory APIs.
  • Provides a clean, CLI-friendly vulnerability report.
  • Fast and memory-efficient, powered by Rust.

Getting Started

To use depScanner, choose one of the following methods:

Using Rust Locally

If you want to run depScanner natively on your machine, follow these steps:

  1. Ensure you have Rust installed.

  2. Clone the repository:

    git clone https://github.com/your-username/depScanner.git
cd depScanner

  3. Build the project:

    cargo build --release

  4. Run the binary:

    ./target/release/depScanner <path-to-lockfile-or-package.json>

Using Docker (Recommended)

For a hassle-free setup, use the Docker image to run depScanner:

  1. Build the Docker image:

    docker build -t dep-scanner .

  2. Run the Docker container:

    docker run --rm -v $(pwd):/app dep-scanner ./depScanner /app/<lock-file-or-package.json>

    Replace <lock-file-or-package.json> with the path to your dependency file.

Usage

Basic Command

Scan a lock file or package.json:

./depScanner <path-to-lockfile-or-package.json>

Examples

  1. Scan a package-lock.json file:

    ./depScanner ./package-lock.json

  2. Scan a yarn.lock file:

    ./depScanner ./yarn.lock

  3. Scan a pnpm-lock.yaml file:

    ./depScanner ./pnpm-lock.yaml

  4. Fallback to package.json if lock files are unavailable:

    ./depScanner ./package.json

  5. Using Docker to scan a file:

    docker run --rm -v $(pwd):/app dep-scanner ./depScanner /app/package-lock.json

Output

The CLI displays a vulnerability report like this:

Dependency Vulnerability Report
Package                        Version         Issues
--------------------------------------------------------------------------------
lodash                         4.17.20        Prototype Pollution
express                        4.17.1         XSS Vulnerability
chalk                          2.4.2          No issues found
  • Red: Vulnerable dependencies.
  • Green: No vulnerabilities found.

Supported Formats

  • package-lock.json (npm)
  • yarn.lock (Yarn)
  • pnpm-lock.yaml (pnpm)
  • bun.lockb (Bun)
  • package.json (Fallback for declared dependencies)

License

This project is licensed under the MIT License.

Acknowledgments

  • Built with โค๏ธ using Rust.
  • Inspired by the need for secure dependency management.

About

depScanner: A fast and lightweight CLI tool built with Rust to scan npm, Yarn, pnpm, and Bun lock files for vulnerabilities. Simple, secure, and efficient. ๐Ÿš€

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

12 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages