Normal Programming Mistake

    TypeScript icon, indicating that this package has built-in type declarations

    1.4.1 • Public • Published

    Secure Continuous Integration

    version Maintenance Security Responsible Disclosure mit


    This package is available in the Node Package Repository and can be easily installed with npm or yarn.

    $ npm i @nodesecure/ci
    # or
    $ yarn add @nodesecure/ci

    Getting Started

    @nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and patterns.

    Before going further, here is an overview of the available features depending on your project configuration:

    Static Analysis Compatibility

    Static Analysis is powered by @nodesecure/js-x-ray and @nodesecure/scanner.


    For now, TypeScript can't directly be analyzed on the fly. However as you might know, any transpiled TypeScript code is JavaScript code hence can be analyzed.

    Moreover, it is recommended to launch the Static Analysis with a source code state as close as possible to the state of your production code (and before minification). In fact, you want to make sure that you are not introducing anything malicious when you're compiling your code at some point (for production or when transpiling with TypeScript).

    Vulnerabilities Strategy package-lock.json yarn.lock

    Vulnerabilities strategies are powered by @nodesecure/vuln.

    Usage example

    @nodesecure/ci can be used as a Script, as an API or through the GitHub action

    Let's see how to use @nodesecure/ci in these three different ways:

    • API
    • Script
    • GitHub Action


    @nodesecure/ci exposes its pipeline runner as an API to allow use in any other combined workflow.

    import { runPipeline } from "@nodesecure/ci";
    const optionsExample = {
        directory: process.cwd(),
        strategy: "node",
        vulnerabilities: "all",
        warnings: "error",
        reporters: ["console"]
    await runPipeline(optionsExample);
    // => the process can either exit with error code (1) 
    // or no error code (0), depending on the pipeline status.

    If you need a more fine-grained control over the pipeline process, you can provide an "autoExitAfterFailure" property to the entry point options to manually exit or interpret the returned payload.

    const { status, data } = await runPipeline({ autoExitAfterFailure: false });
    if(status === 'success') {
      console.log('Congrats, your code passed all security checks!');
    } else {
      console.log('Whoops, the pipeline failed to pass all checks :(');


    First, add the script in the package.json

      "scripts": {
        "nsci": "nsci"

    Then run it

    $ npm run nsci

    Once the script is run, the @nodesecure/ci pipeline will look for dependencies warnings and vulnerabilities in the current working directory. If any warning or dependency is met, the pipeline will eventually fail depending on the provided .nodesecurerc file.

    GitHub Action

    The documentation of the @nodesecure/ci GitHub Action is detailed here

    Custom configuration

    For now, the configuration is managed internally and is only configurable there:

    • via the CLI when using as a script
    • via the API options when using the exposed Node.js module
    • via the .yaml config file for the GitHub action

    Add CLI options directly in the package.json script

      "scripts": {
        "nsci": "nsci --directory=/Users/user1/myproject"

    Or provide it from the "npm run [script]" command (don't forget to supply "--") or the params will be applied to the "npm run [script]" command.

    $ npm run nsci -- --directory=/Users/user1/myproject
    $ npm run nsci -- --strategy=npm
    $ npm run nsci -- --vulnerability=all
    $ npm run nsci -- --warnings=error
    $ npm run nsci -- --reporters=console

    Or use yarn (params are provided to the target script by default)

    $ yarn nsci --reporters=console

    To see all available options, you can run:

    $ npm run nsci -- --help

    In the future, we aim to expose some sort of configuration like this:

      rootDir: string;
      strategy: "npm" | "node" | "snyk" | "none" // any kind of supported strategy by @nodesecure/vuln
      reporters: ("console" | "html")[];
      rules: {
        vulnerabilities: {
            severity: "all" | "high" | "critical" | "medium" | "low" 
        warnings: {
            "obfuscated-code": "error"
        } // by default, any warning caught by @nodesecure/scanner will fail the pipeline.

    To know more about the future configuration, see @nodesecure/rc


    Two reporters are targeted to work with the @nodesecure/ci. For now, only the "Console" reporter is available.

    • [x] Console
    • [ ] HTML



    All Contributors

    Thanks goes to these wonderful people (emoji key):






    npm i @nodesecure/ci

    DownloadsWeekly Downloads






    Unpacked Size

    91.3 kB

    Total Files


    Last publish


    • antoine-coulon
    • kawacrepe
    • fraxken
    • tonygo