JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 716
  • Score
    100M100P100Q92391F
  • License MIT

Scanning engine for lockhawk: lockfile parsing, OSV.dev vulnerability matching, CVSS v3/v4 scoring, and SARIF/JUnit/HTML reports

Package Exports

  • @lockhawk/core

Readme

@lockhawk/core

The scanning engine behind lockhawk: lockfile parsing, dependency graph building, OSV.dev matching, CVSS v3 and v4 scoring, and report generation (table, JSON, SARIF, JUnit, HTML, Markdown).

Most people want the CLI, not this package. To scan a project, use lockhawk and run npx lockhawk scan. Install @lockhawk/core only if you are building a tool on top of the engine.

Install

npm install @lockhawk/core

Usage

import { scan } from '@lockhawk/core';

const result = await scan({ path: '.', mode: 'auto', failOn: 'high' });
console.log(result.summary, result.findings);

scan() reads the project's lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml), resolves the full dependency tree including transitive dependencies, queries OSV.dev (offline from a cached database or online via the batch API), and returns scored, de-duplicated findings.

Documentation

Full docs, CLI usage, and CI/CD recipes live in the main repository: https://github.com/lockhawk/lockhawk

License

MIT