Skip to content

Command-line tool for NodeSource Certified Modules 2.0

License

Notifications You must be signed in to change notification settings

nodesource/ncm-cli

Repository files navigation

NCM-CLI

Build Status

The command-line tool for NodeSource Certified Modules 2.0 — designed to make code quality, security, and compliance a breeze. Generate a custom project report, fetch compliance and security information, manage organizational whitelists, and inspect specific packages in greater detail — all from the command-line.

Additional NodeSource Certified Modules v2 information is available on the NodeSource documentation site.

Installation

$ npm install -g ncm-cli

Usage

$ ncm <command> [options]
$ ncm help <command>

Authentication

ncm-cli supports three forms of authentication (required).

1. NodeSource Account:

Sign-in interactively using your NodeSource account email and password.

$ ncm signin

2. Single Sign-on

  • Using a Google account: ncm signin -G, --google
  • Using a GitHub account: ncm signin -g, --github

3. Environment Variable (CI/CD)

$ NCM_TOKEN=<token> ncm <command> [options]

Learn more about obtaining NodeSource service tokens and configuring permissions here.

ncm report

Generates a project-wide report of directory risk and quality of installed or specified packages. The top five riskiest modules detected will be displayed alongside a concise project report.

The directory to generate a report from may be specified via ncm report <dir>. Defaults to using the current working directory.

$ ncm report

╔════════════╗
║ foo Report ║
╚════════════╝

23 packages checked

  ! 2 critical risk
    4 high risk
    4 medium risk
    10 low risk

  ! 6 security vulnerabilities found across 5 modules
    |➔ Run `ncm report --filter=security` for a list

  ! 2 noncompliant modules found
    |➔ Run `ncm report --filter=compliance` for a list

  ! 1 used modules whitelisted
    |➔ Run `ncm whitelist --list` for a list

─────────────────────────────────────────────────────────────────────────────────────────────────
  Top 5: Highest Risk Modules
-------------------------------------------------------------------------------------------------
  Module Name                               Risk         License                 Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ mime @ 1.3.4                             │ |||| Crit  │ ✓ MIT                 │ X 1L          │
│ superagent @ 1.8.5                       │ |||| Crit  │ ✓ MIT                 │ X 1M 1L       │
│ form-data @ 1.0.0-rc3                    │ |||| High  │ ✓ MIT                 │ ✓ 0           │
│ formidable @ 1.0.16                      │ |||| High  │ X UNKNOWN             │ ✓ 0           │
│ mime @ 1.2.11                            │ |||| High  │ X UNKNOWN             │ X 1L          │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘

Full Reports

A report with a list of all modules can be generated by passing --long, -l.

$ ncm report --long

╔════════════╗
║ foo Report ║
╚════════════╝

23 packages checked

  ! 2 critical risk
    4 high risk
    4 medium risk
    10 low risk

  ! 6 security vulnerabilities found across 5 modules
    |➔ Run `ncm report --filter=security` for a list

  ! 2 noncompliant modules found
    |➔ Run `ncm report --filter=compliance` for a list

─────────────────────────────────────────────────────────────────────────────────────────────────
  Whitelisted Modules
-------------------------------------------------------------------------------------------------
  Module Name                               Risk         License                 Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ qs @ 6.3.1                               │ |||| Crit  │ ✓ BSD-3-Clause        │ X 1H          │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
─────────────────────────────────────────────────────────────────────────────────────────────────
  Non-whitelisted Modules
-------------------------------------------------------------------------------------------------
  Module Name                               Risk         License                 Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ mime @ 1.3.4                             │ |||| Crit  │ ✓ MIT                 │ X 1L          │
│ superagent @ 1.8.5                       │ |||| Crit  │ ✓ MIT                 │ X 1M 1L       │
│ form-data @ 1.0.0-rc3                    │ |||| High  │ ✓ MIT                 │ ✓ 0           │
│ formidable @ 1.0.16                      │ |||| High  │ X UNKNOWN             │ ✓ 0           │
│ mime @ 1.2.11                            │ |||| High  │ X UNKNOWN             │ X 1L          │
│ qs @ 2.3.3                               │ |||| High  │ ✓ BSD-2-Clause        │ X 1H          │

 ... etc ...

│ mime-types @ 2.1.22                      │ |||| None  │ ✓ MIT                 │ ✓ 0           │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘

Filters

Reports may be filtered based on any of the following flags:

  • --compliance, -c - only display non-compliant packages.
  • --security, -s - only display packages with vulnerabilities.

Options

  • --json, -j - Formats the report in JSON (disabled by default)

ncm details <module{@version}>

Returns a detailed report about a specific module version. Defaults to using the latest version as published to npm if no version is provided.

$ ncm details [email protected]

╔═════════════════════════════════════════╗
║ client-request @ 2.3.0 (within ncm-cli) ║
╚═════════════════════════════════════════╝

┌──────┬───────────┐
│ |||| │ None Risk │
└──────┴───────────┘

Security Risk:
  ✓ 0 security vulnerabilities found
    C 0 critical severity
    H 0 high severity
    M 0 medium severity
    L 0 low severity

┌───┬─────────────────────────────┐
│ ✓ │ No Security Vulnerabilities │
└───┴─────────────────────────────┘

License Risk:
┌───┬─────┐
│ ✓ │ MIT │
└───┴─────┘

Module Risk:
┌───┬────────────────┐
│ ✓ │ No Module Risk │
└───┴────────────────┘

Code Quality (does not affect risk score):
┌───┬────────────────────────────────────────────────────────────────────────────────────────────┐
│ ! │ This package version's size on disk is 40.0 kB.                                            │
└───┴────────────────────────────────────────────────────────────────────────────────────────────┘

Required By (leftmost is directly in your package):
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ (Directly in your package)                                                                 │
└────────────────────────────────────────────────────────────────────────────────────────────┘

ncm install <module{@version}>

Runs and displays ncm details <module{@version}> with an interactive confirmation prompt. If confirmed, attempts to run npm install <module{@version}> with any additional options provided.

The config keys installBin and installCmd can adjust this to work with other package installers if necessary. For more information, see ncm config --help.

ncm whitelist

Display or modify your NodeSource organization’s module whitelist.

ncm whitelist --list

Returns a list containing each module in your NodeSource organization’s whitelist. Public modules are listed alongside their risk score, license compliance, and security summary.

$ ncm whitelist --list

╔══════════════════════════════╗
║ personal Whitelisted Modules ║
╚══════════════════════════════╝

2 modules total
─────────────────────────────────────────────────────────────────────────────────────────────────
  Whitelisted Modules
-------------------------------------------------------------------------------------------------
  Module Name                               Risk         License                 Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ express @ 4.0.0                          │ |||| None  │ ✓ MIT                 │ X 1M          │
│ qs @ 6.3.1                               │ |||| None  │ ✓ BSD-3-Clause        │ X 1H          │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘

ncm whitelist --add <module@version>

Add one or more modules to your NodeSource organization’s whitelist.

ncm whitelist --remove <module@version>

Remove one or more modules from your NodeSource organization’s whitelist.

ncm orgs

Change your active NodeSource organization, which impacts the whitelist. Defaults to an interactive prompt.

By passing an <orgname>, the interactive part may be skipped.

Input is case sensitive.

ncm config

Access to various configuration settings. For more information, use the help command: ncm config --help

License & Copyright

Copyright 2019 NodeSource — Contributions via DCO 1.1

Licensed under the Apache License, Version 2.0 — see the LICENSE file for details.