Skip to content

comsysto/dependency-vulnerability-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
node/src
node/src
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

dependency-vulnerability-scanner

This repository provides scripts to quickly check if a repository uses certain vulnerable dependencies. Supported package managers: npm, pnpm, yarn

How to use

Execute one of the following commands to download and run the pre-built binary for your operating system.

Run the binary in the root folder of all of your repositories you want to scan. The script is recursive and will scan all subfolders as well:

For Mac:

curl -O https://github.com/comsysto/dependency-vulnerability-scanner/releases/latest/download/scan-darwin-arm64 \
 && chmod +x scan-darwin-arm64 && ./scan-darwin-arm64

For Linux:

curl -O https://github.com/comsysto/dependency-vulnerability-scanner/releases/latest/download/scan-linux-amd64 \
  && chmod +x scan-linux-amd64 && ./scan-linux-amd64

For Windows (PowerShell):

Invoke-WebRequest -Uri "https://github.com/comsysto/dependency-vulnerability-scanner/releases/latest/download/scan-windows-amd64.exe" -OutFile "scan-windows-amd64.exe"; .\scan-windows-amd64.exe

For Windows (Command Prompt):

curl -O https://github.com/comsysto/dependency-vulnerability-scanner/releases/latest/download/scan-windows-amd64.exe && scan-windows-amd64.exe

Example output:

Dependency Vulnerability Scanner
=================================

📦 Scanning NPM packages (package-lock.json)...
Found 19 package-lock.json files:
  - test-project/package-lock.json

Scan complete. Found 1 occurrences:
test-project/package-lock.json - uses: ["zuper-stream@2.0.9"]

✅ Scan complete!
Total matches found:
 - 1 in NPM projects
 - 0 in Yarn projects
 - 0 in PNPM projects

How to test locally

Build the binary and move it to some root folder that contains node projects:

cd node/src
go build -o scanner && cp ./scanner ~/your-workspace
cd ~/your-workspace
./scanner

How to add new affected dependencies

  1. Check if you can find a list of vulnerable packages in a structured way, e.g. https://github.com/wiz-sec-public/wiz-research-iocs/blob/main/reports/shai-hulud-2-packages.csv
  2. Use utils/extract-versions.sh to extract the affected versions from the CSV file
  3. Add the strings to dependencies.go, following the existing format

How to build new versions

Execute the following bash script to create new binaries for different OS and architectures:

 bash utils/build-versions.sh

Create new Release in Github

  1. Build new binaries (see "How to build new versions")
  2. Create a new Release manually in GitHub
  3. Upload the binaries from utils/build to the Release
  4. New releases are automatically picked up when executing the curl commands above

About

This repository provides scripts to quickly check if a repository uses certain vulnerable dependencies.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

0.2 Latest
Nov 26, 2025
+ 1 release

Packages

No packages published

Languages