Skip to content

OpenForgeProject/supply-chain-scanner

BranchesTags

Repository files navigation

Supply Chain Scanner for NPM Packages

By default, this scanner loads affected package versions directly from the GitHub csv folder and then checks your node_modules.

Quick Start (curl)

  1. Download the script

curl -L -o check.js https://raw.githubusercontent.com/OpenForgeProject/supply-chain-scanner/main/check.js

  1. Options to run it in your target project
  • node check.js
  • node check.js -r
  • node check.js /path/to/scan -r

Use a custom GitHub CSV source

node check.js --csv-github-url https://github.com/OWNER/REPO/tree/main/csv

Help

node check.js --help

Verbose output

By default, only found packages are shown in the detailed overview, including compromised and safe installed versions.

Use verbose mode to also list packages that are not installed:

node check.js --verbose or node check.js -r --verbose

Authenticating with GitHub (for higher API limits)

Use a bearer token in the Authorization header:

curl -H "Authorization: Bearer YOUR_TOKEN" https://api.github.com/user

Or run the scanner with GITHUB_TOKEN:

GITHUB_TOKEN=YOUR_TOKEN node check.js

About

This tool scan you local environment for supply-chain-attacked packages, based on the csv's in ./csv

Topics

security security-tools supply-chain-security local-security

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 6

v1.3.0 Latest
May 21, 2026
+ 5 releases

Packages

 
 
 

Contributors

Languages