Primary Use Case

This tool is designed for developers and security teams who need to ensure their application's dependencies are secure and compliant with licensing policies. It is used during development and CI workflows to identify and manage vulnerabilities, license risks, and metadata problems across multiple package managers and workspaces.

Key Features

Supports npm, Yarn, pnpm, and Composer package managers

Scans dependencies for vulnerabilities, license issues, and metadata problems

Generates JSON, CSV, and SVG visual reports including dependency trees and treemaps

Supports marking issues as resolved to manage findings over time

Allows custom license policies and configurable fail conditions for CI/Git hooks

Supports private and custom npm registries

Works with npm/Yarn/pnpm workspaces

Open source and free command-line tool

Insights & Recommendations

Sandworm Audit requires Node.js version 14.19 or higher. It is recommended to run the tool in the root directory of your project where the manifest and lockfile are present. Custom license policies and fail conditions can be configured to integrate with CI/CD pipelines and Git hooks for automated enforcement. The tool supports private npm registries, making it suitable for enterprise environments.

Installation

Ensure Node.js version 14.19 or higher is installed
Install globally via npm: npm install -g @sandworm/audit
Alternatively, install globally via yarn: yarn global add @sandworm/audit
Or install globally via pnpm: pnpm add -g @sandworm/audit
Run the tool in your project root directory where manifest and lockfile exist
Optionally, run without installation using npx: npx @sandworm/audit@latest
Or with yarn dlx: yarn dlx -p @sandworm/audit sandworm
Or with pnpm dlx: pnpm --package=@sandworm/audit dlx sandworm

Usage

sandworm-audit

Runs the audit scan in the current directory and generates reports

npx @sandworm/audit@latest

Runs Sandworm Audit without prior installation

npm install -g @sandworm/audit

Installs Sandworm Audit globally using npm

sandworm-audit -o <output-path>

Specifies the output directory for generated reports

sandworm-audit -d

Includes dev dependencies in the audit scan

sandworm-audit --sv

Shows package versions in chart names within visual reports

sandworm-audit -p <path>

Specifies a custom path to the application to audit

sandworm-audit --md <max-depth>

Sets the maximum depth to represent in charts

sandworm-audit --ms <min-severity>

Filters issues by minimum severity to display in charts

sandworm-audit --lp <license-policy>

Applies a custom license policy JSON string for compliance checks

Smart Usage Notes

Integrate Sandworm Audit into CI/CD pipelines to automate early detection of vulnerable or non-compliant dependencies before deployment.Leverage the tool's license compliance features to prevent legal risks associated with improper use of open source licenses.Use the detailed JSON and visual reports to prioritize remediation efforts and track progress over time.Combine Sandworm Audit findings with vulnerability management platforms for enriched context and streamlined response workflows.Employ the tool in purple team exercises to simulate dependency-based attack vectors and improve cross-team collaboration.

OpenSec Atlas

sandworm-audit

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like