npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@nodesecure/report

v3.0.0

Published

NodeSecure HTML & PDF graphic security report

Downloads

361

Readme

version OpenSSF
Scorecard MIT size

This project is designed to generate periodic security reports in both HTML and PDF formats. It leverages the @nodesecure/scanner to retrieve all necessary data.

| Screen1 | Screen2 | | :----------------------------------: | :----------------------------------: | | | |

Features

  • Automatically clones and scans Git repositories using scanner.cwd.
  • Provides a visual overview of security threats and quality issues for multiple Git or NPM packages.
  • Facilitates visualization of changes over time.
  • Generates reports in both HTML and PDF formats.

Requirements

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ git clone https://github.com/NodeSecure/report.git
$ cd report
$ npm i
$ npm link

After installation, the nreport binary will be available in your terminal.

nreport initialize
nreport execute

[!CAUTION] Please read the following sections to understand how to properly set up the configuration. The initialize command generates an incomplete basic template.

Environment Variables

To configure the project you have to register (set) environment variables on your system. These variables can be set in a .env file (that file must be created at the root of the project).

GIT_TOKEN=
NODE_SECURE_TOKEN=

To known how to get a GIT_TOKEN or how to register environment variables follow our Governance Guide.

[!NOTE] For NODE_SECURE_TOKEN, please check the NodeSecure CLI documentation.

Configuration Example (.nodesecurerc)

This uses the official NodeSecure runtime configuration (@nodesecure/rc) under the hood.

{
  "version": "1.0.0",
  "i18n": "english",
  "strategy": "npm",
  "report": {
    "title": "NodeSecure Security Report",
    "logoUrl": "https://avatars.githubusercontent.com/u/85318671?s=200&v=4",
    "theme": "light",
    "includeTransitiveInternal": false,
    "reporters": ["html", "pdf"],
    "npm": {
      "organizationPrefix": "@nodesecure",
      "packages": ["@nodesecure/js-x-ray"]
    },
    "git": {
      "organizationUrl": "https://github.com/NodeSecure",
      "repositories": ["vulnera"]
    },
    "charts": [
      {
        "name": "Extensions",
        "display": true,
        "interpolation": "d3.interpolateRainbow",
        "type": "bar"
      },
      {
        "name": "Licenses",
        "display": true,
        "interpolation": "d3.interpolateCool",
        "type": "bar"
      },
      {
        "name": "Warnings",
        "display": true,
        "type": "horizontalBar",
        "interpolation": "d3.interpolateInferno"
      },
      {
        "name": "Flags",
        "display": true,
        "type": "horizontalBar",
        "interpolation": "d3.interpolateSinebow"
      }
    ]
  }
}

The theme can be either dark or light. Themes are editable in public/css/themes (feel free to PR new themes if you want).

[!NOTE] All D3 scale-chromatic for charts can be found here.

API

[!CAUTION] The API is ESM only

report

function report(
  scannerDependencies: Scanner.Payload["dependencies"],
  reportConfig: ReportConfiguration,
  reportOptions?: ReportOptions
): Promise<Buffer>;

Generates and returns a PDF Buffer based on the provided report options and scanner payload.

/**
 * Configuration dedicated for NodeSecure Report
 * @see https://github.com/NodeSecure/report
 */
export interface ReportConfiguration {
  /**
   * @default `light`
   */
  theme?: "light" | "dark";
  title: string;
  /**
   * URL to a logo to show on the final HTML/PDF Report
   */
  logoUrl?: string;
  /**
   * Show/categorize internal dependencies as transitive
   * @default false
   */
  includeTransitiveInternal?: boolean;
  npm?: {
    /**
     * NPM organization prefix starting with @
     * @example `@nodesecure`
     */
    organizationPrefix: string;
    packages: string[];
  };
  git?: {
    /**
     * GitHub organization URL
     * @example `https://github.com/NodeSecure`
     */
    organizationUrl: string;
    /**
     * List of repositories
     * name are enough, no need to provide .git URL or any equivalent
     */
    repositories: string[];
  };
  /**
   * @default html,pdf
   */
  reporters?: ("html" | "pdf")[];
  charts?: ReportChart[];
}

export interface ReportChart {
  /**
   * List of available charts.
   */
  name: "Extensions" | "Licenses" | "Warnings" | "Flags";
  /**
   * @default true
   */
  display?: boolean;
  /**
   * Chart.js chart type.
   *
   * @see https://www.chartjs.org/docs/latest/charts
   * @default `bar`
   */
  type?: "bar" | "horizontalBar" | "polarArea" | "doughnut";
  /**
   * D3 Interpolation color. Will be picked randomly by default if not provided.
   * @see https://github.com/d3/d3-scale-chromatic/blob/main/README.md
   */
  interpolation?: string;
}

export interface ReportOptions {
  /**
   * Location where the report will be saved.
   * 
   * If not provided, default to cwd if HTML or PDF is saved on disk, or a temp directory else.
   */
  reportOutputLocation?: string | null;
  /**
   * Save the PDF on disk
   * @default false
   */
  savePDFOnDisk?: boolean;
  /**
   * Save the HTML on disk
   * @default false
   */
  saveHTMLOnDisk?: boolean;
}

Scripts

You can generate a preview of a report using the following NPM scripts

$ npm run preview:light
$ npm run preview:dark

Debug mode

You can write in the file "reports/debug-pkg-repo.txt", all data generated from NPM package and GIT repository scanners using the following option. Usefull if you want to get a preview from this data set.

$ nreport exec --debug

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

License

MIT