Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
Sandworm Audit


Beautiful Security & License Compliance Reports For Your App's Dependencies 🪱


  • Free & open source command-line tool
  • Works with any modern JavaScript package manager
  • Scans your project & dependencies for vulnerabilities, license, and misc issues
  • Supports marking issues as resolved
  • Supports custom license policies
  • Configurable fail conditions for CI / GIT hook workflows
  • Can connect to private/custom registries
  • Outputs:
    • JSON issue & license usage reports
    • Easy to grok SVG dependency tree & treemap visualizations
      • Powered by D3
      • Overlays security vulnerabilities
      • Overlays package license info
    • CSV of all dependencies & license info

Generate a report

Running Sandworm Audit

Navigate charts

Sandworm treemap and tree dependency charts

CSV output

Sandworm dependency CSV

JSON output

  "createdAt": "...",
  "packageManager": "...",
  "name": "...",
  "version": "...",
  "rootVulnerabilities": [...],
  "dependencyVulnerabilities": [...],
  "licenseUsage": {...},
  "licenseIssues": [...],
  "metaIssues": [...],
  "errors": [...],

Marking issues as resolved

Get Involved

Get Started

Note Sandworm Audit requires Node 14.19+.

Note When using npm, Sandworm Audit supports lockfile versions 2 and 3 (npm 7+).

Install sandworm-audit globally via your favorite package manager:

npm install -g @sandworm/audit
# or yarn global add @sandworm/audit
# or pnpm add -g @sandworm/audit

Then, run sandworm-audit in the root directory of your application. Make sure there's a manifest and a lockfile.

You can also directly run without installing via:

npx @sandworm/audit@latest
# or yarn dlx -p @sandworm/audit sandworm
# or pnpm --package=@sandworm/audit dlx sandworm

Available options:

  -v, --version               Show version number                      [boolean]
      --help                  Show help                                [boolean]
  -o, --output-path           The path of the output directory, relative to the
                              application path    [string] [default: "sandworm"]
  -d, --include-dev           Include dev dependencies[boolean] [default: false]
      --sv, --show-versions   Show package versions in chart names
                                                      [boolean] [default: false]
  -p, --path                  The path to the application to audit      [string]
      --md, --max-depth       Max depth to represent in charts          [number]
      --ms, --min-severity    Min issue severity to represent in charts [string]
      --lp, --license-policy  Custom license policy JSON string         [string]
  -f, --from                  Load data from "registry" or "disk"
                                                  [string] [default: "registry"]
      --fo, --fail-on         Fail policy JSON string   [string] [default: "[]"]
  -s, --summary               Print a summary of the audit results to the
                              console                  [boolean] [default: true]
      --root-vulnerabilites   Include vulnerabilities for the root project
                                                      [boolean] [default: false]
      --skip-license-issues   Skip scanning for license issues
                                                      [boolean] [default: false]
      --skip-meta-issues      Skip scanning for meta issues
                                                      [boolean] [default: false]
      --skip-tree             Don't output the dependency tree chart
                                                      [boolean] [default: false]
      --skip-treemap          Don't output the dependency treemap chart
                                                      [boolean] [default: false]
      --skip-csv              Don't output the dependency csv file
                                                      [boolean] [default: false]
      --skip-report           Don't output the report json file
                                                      [boolean] [default: false]
      --skip-all              Don't output any file   [boolean] [default: false]
      --show-tips             Show usage tips          [boolean] [default: true]


Read the full docs here.

Samples on