A Docker-based security scanner that analyzes npm package dependencies for vulnerabilities and enriches them with CVE information from GitHub Advisory Database.
- Scans
package-lock.jsonfiles for security vulnerabilities - Enriches vulnerability data with CVE information from GitHub Advisory API
- Provides detailed dependency graphs and fix suggestions
- Outputs structured JSON results
- Lightweight Alpine-based Docker image with minimal dependencies
- Separate production and development environments for security optimization
- Docker installed on your system
- A
package-lock.jsonfile in your project directory - (Optional) GitHub Personal Access Token for enhanced API access
-
Build the Docker image:
docker build -t npm-sca-scanner . -
Run the scanner:
# Navigate to your project directory with package-lock.json cd /path/to/your/project # Run the scanner docker run --rm -v $(pwd):/app/scan npm-sca-scanner
-
View results:
cat scan_results.json
To avoid API rate limits and get enhanced vulnerability information:
-
Set up GitHub token:
export GH_TOKEN=your_github_token_here -
Run with token:
docker run --rm -v $(pwd):/app/scan -e GH_TOKEN npm-sca-scanner
The scanner generates scan_results.json containing:
- CVE identifiers
- Package names and versions
- Vulnerability descriptions
- Dependency graphs
- Fix suggestions
- Go to GitHub Settings → Developer settings → Personal access tokens
- Generate a new token with
public_reposcope - Export the token:
export GH_TOKEN=your_token
# Basic scan
docker run --rm -v $(pwd):/app/scan npm-sca-scanner
# With GitHub token
docker run --rm -v $(pwd):/app/scan -e GH_TOKEN npm-sca-scanner
# Interactive mode (for debugging)
docker run --rm -it -v $(pwd):/app/scan -e GH_TOKEN npm-sca-scannerThe project uses separate requirements files for different environments:
-
requirements-prod.txt- Minimal production dependencies (3 packages)- Used by Docker for lean, secure container images
- Contains only:
requests,python-dotenv,semantic_version
-
requirements-dev.txt- Development dependencies (13 packages)- Includes production dependencies plus testing tools
- Contains pytest and all transitive dependencies
Setup development environment:
# Install all development dependencies
pip install -r requirements-dev.txtThe project includes comprehensive tests covering three key dependency scenarios:
- Direct Dependencies - Packages listed directly in package.json
- Transitive Dependencies - Sub-dependencies with proper dependency chains
- Multiple Introduction Paths - Packages introduced via multiple dependency routes
Run tests:
# Run all tests
pytest
# Run with verbose output
pytest -v
# Run specific test
pytest tests/test_dependencies.py::test_direct_dependenciesnpm_sca_scanner/
├── main.py # Main scanner logic
├── functions.py # Core functions (CVE lookup, version matching)
├── entrypoint.sh # Docker entrypoint script
├── requirements-prod.txt # Production dependencies
├── requirements-dev.txt # Development dependencies
├── tests/ # Test suite
│ ├── test_dependencies.py # Dependency scenario tests
│ ├── test_npm_results.json # Mock npm audit data
│ └── test_scan_results.json # Mock scanner output
└── Dockerfile # Production Docker image
The Docker image has been optimized for security and scanned with Trivy:
Report Summary
┌─────────────────────────┬────────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────┼────────────┼─────────────────┼─────────┤
│ npm-sca-scanner │ alpine │ 0 │ - │
├─────────────────────────┼────────────┼─────────────────┼─────────┤
│ Python packages │ python-pkg │ 0 │ - │
└─────────────────────────┴────────────┴─────────────────┴─────────┘
✅ No security vulnerabilities detected
The production image contains only essential dependencies:
requests- GitHub API communicationpython-dotenv- Environment variable handlingsemantic_version- Version range matching
- Project must contain a valid
package-lock.jsonfile - Docker must have access to the internet for API calls