code scanning tool
npm install @evanjoel/code-scannerSecurity and code quality scanning tool
| Scanner | Languages | Purpose |
|---------|-----------|---------|
| Dependency-Check | Java, JavaScript, Python, .NET, Ruby, PHP, Go | Vulnerability scanning of dependencies |
| ESLint | JavaScript, TypeScript | Static code analysis and linting |
| NPM Audit | JavaScript, TypeScript | NPM package vulnerability scanning |
| SonarQube | 25+ languages | Comprehensive code quality and security |
| PMD | Java, JavaScript, Apex, Kotlin, Swift, XML, and more | Multi-language static analysis |
bash
npm install -g code-scanner
`$3
bash
npm install code-scanner
`$3
bash
npx cs --version
`Quick Start
$3
bash
Setup all scanners
npx cs setupSetup specific scanner
npx cs setup --scanner eslint
`$3
bash
npx cs config -o cs.config.json
`$3
bash
Scan current directory with auto-detection
npx cs scan .Scan specific directory with custom output
cs scan /path/to/project --output my-results --format htmlRun specific scanner only
cs scan . --scanner dependency-checkRun with Slack notifications
cs scan . --notify-slack --slack-webhook "your-webhook-url"
`Configuration
Create a
file in your project root:`json
{
"notifications": {
"slack": {
"webhookUrl": "https://hooks.slack.com/services/...",
"channel": "#security-alerts",
"enabled": true
}
},
"scanners": {
"dependency-check": {
"enabled": true,
"nvdApiKey": "YOUR_NVD_API_KEY"
},
"eslint": {
"enabled": true,
"configFile": ".eslintrc.js"
},
"npm-audit": {
"enabled": true
},
"sonarqube": {
"enabled": false,
"serverUrl": "http://localhost:9000",
"token": "YOUR_SONAR_TOKEN"
},
"PMD": {
"enabled": true
}
},
"reporting": {
"outputDir": "scan-results",
"formats": ["json", "html"],
"severity": "info",
"failOnSeverity": "high"
},
"filters": {
"exclude": [
"/node_modules/",
"/dist/",
"/build/"
]
}
}
`Usage Examples
$3
bash
Auto-detect and scan all supported files
cs scan .
`$3
bash
Custom configuration and API keys
cs scan . \
--config custom-config.json \
--nvd-api-key "your-nvd-key" \
--sonar-url "http://localhost:9000" \
--sonar-token "your-token"
`List available scanners
cs list
CLI Commands
$3
bash
cs setup [options]
`
- - Setup specific scanner
- -a, --all - Setup all scanners
- --config - Use specific configuration file$3
`bash
cs scan [options]
`
- - Run specific scanner only
- -o, --output - Output directory (default: scan-results)
- -f, --format - Output format: json, html, pdf, sarif
- -p, --parallel - Run scanners in parallel
- --severity - Minimum severity: critical, high, medium, low, info
- --fail-on - Exit with error on severity level
- --force - Force run disabled scanners
- --notify-slack - Enable Slack notifications$3
`bash
cs config [options]
`
- - Output configuration file$3
`bash
cs report [options]
`
- - Output format
- -o, --output - Output directoryEnvironment Variables
`bash
NVD API Key for enhanced vulnerability data
export NVD_API_KEY="your-nvd-api-key"SonarQube configuration
export SONAR_URL="http://localhost:9000"
export SONAR_TOKEN="your-sonar-token"Slack notifications
export SLACK_WEBHOOK_URL="https://hooks.slack.com/services/..."
export SLACK_CHANNEL="#security-alerts"
``