npm-scan

npm-scan [packagename | **scan-lockfile**] [options_]

npm-scan is a command-line supply chain security scanner for the npm ecosystem. It combines static and behavioral analysis to flag malicious behavior in packages that signature-based tools miss, including obfuscated code, credential and token exfiltration, kernel-level attacks, and worm-like self-propagation.The tool can inspect an individual package by name before it is installed, or audit every dependency resolved in a project's lockfile with the scan-lockfile subcommand. Analysis runs locally without telemetry, which makes it suitable for offline use and for gating untrusted dependencies.npm-scan is designed to slot into CI/CD pipelines: it can emit machine-readable JSON and return a non-zero exit status when a finding meets a chosen severity threshold, so a build can be blocked automatically.

scan-lockfile

Scan all dependencies pinned in the project lockfile rather than a single named package.

Print findings as JSON instead of the human-readable report, suitable for piping into other tools.

Exit with a non-zero status when a finding at or above SEVERITY (for example critical) is detected. Use this to break a CI build on dangerous dependencies.

Detection is heuristic, so results can include false positives and false negatives, treat them as signals rather than proof. npm-scan is dual-licensed: MIT for individuals, open-source projects, and evaluation, with a separate paid Business License Agreement required for commercial production use.

npm-audit(1), osv-scanner(1), trivy(1), npm(1)

Source code · Homepage