SCA Runner

Wrapper for npm audit and Trivy to perform Software Composition Analysis.

Prerequisites

At least one of these tools must be installed:

# npm audit (built into npm)
npm --version

# Trivy (recommended for multi-language support)
brew install trivy
# or
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

Usage

# Scan with auto-detection (prefers Trivy if available)
npx sca-runner .

# Force specific scanner
npx sca-runner . --scanner npm
npx sca-runner . --scanner trivy

# JSON output
npx sca-runner . --json

# Check available scanners
npx sca-runner --check

# Scan specific package file
npx sca-runner ./package-lock.json --scanner npm

Supported Package Managers

| Scanner | Languages/Files | |---------|-----------------| | npm audit | Node.js (package-lock.json) | | Trivy | Node.js, Python, Go, Ruby, Rust, Java, .NET |

Output Format

{
  "tool": "trivy",
  "scanPath": ".",
  "scanDate": "2024-01-15T10:30:00Z",
  "findings": [
    {
      "id": "CVE-2024-1234",
      "severity": "critical",
      "package": "lodash",
      "installedVersion": "4.17.20",
      "fixedVersion": "4.17.21",
      "title": "Prototype Pollution",
      "description": "...",
      "cvss": 9.8,
      "cwes": ["CWE-1321"],
      "references": ["https://nvd.nist.gov/..."]
    }
  ],
  "summary": {
    "total": 5,
    "critical": 1,
    "high": 2,
    "medium": 1,
    "low": 1
  }
}

Exit Codes

• 0: No vulnerabilities found
• 1: Vulnerabilities detected
• 2: Tool not installed or error

Common CVEs Detected

• Prototype Pollution (CWE-1321)
• Regular Expression DoS (CWE-1333)
• Path Traversal (CWE-22)
• Code Injection (CWE-94)
• Denial of Service (CWE-400)