This project provides a Node.js application that scans a package.json file for vulnerabilities in its dependencies. It leverages the Github GraphQL API to fetch vulnerability data for npm packages.
Features
- Scans npm dependencies for known vulnerabilities
- Reports identified vulnerabilities with details like severity and summary
- Integrates with web applications through a REST API endpoint
- Node.js and npm installed on your system (check with node -v and npm -v)
- A Github personal access token with access to the security scope (refer to https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
- Clone this repository
- Install dependencies
npm install
- Create a .env file in the project root directory.
- Add the following environment variable to the .env file, replacing <YOUR_ACCESS_TOKEN> with your actual Github access token:
GITHUB_ACCESS_TOKEN=<YOUR_ACCESS_TOKEN>
-
npm start - The scanner listens on port 3000 by default. You can access the API endpoint at
http://localhost:3000/api/v1/scan
The scanner expects a POST request to the /api/v1/scan endpoint with the following data in the request body:
{
"ecosystem": "npm", // Currently only npm ecosystem is supported
"fileContent": "<base64 encoded content of your package.json file>"
}
curl -X POST http://localhost:3000/api/v1/scan \
-H "Content-Type: application/json" \
-d '{"ecosystem": "npm", "fileContent": "<base64 encoded content of your package.json>"}'
The response will be a JSON object with the following structure:
{
"vulnerablePackages": [
{
"name": "package-name",
"version": "1.2.3",
"severity": "CRITICAL",
"summary": "Vulnerability summary",
"firstPatchedVersion": "1.2.4",
"vulnerableVersionRange": "< 1.2.4"
},
// ... other vulnerable packages
]
}