bardscan is a TypeScript-focused dependency vulnerability scanner for JavaScript/TypeScript projects.
bardscan is secure-by-default:
scanis offline by default (no network)scanis offline-only; advisory fetching happens viadb update- advisory refresh is split into a dedicated command (
db update) - strict privacy mode is the default (
--privacy strict)
- Parses
package-lock.json,yarn.lock,pnpm-lock.yaml, and Bun lockfiles (bun.lock/bun.lockb) - OSV advisory lookups with local caching
- Optional fallback severity enrichment (OSV detail, CVE/NVD, GHSA)
- Optional import evidence extraction
- JSON / Markdown / SARIF output
- Severity-based CI exit codes
corepack pnpm install
corepack pnpm build
# 1) refresh advisory cache (network)
node ./packages/cli/dist/index.js db update .
# 2) scan using cache only (default behavior)
node ./packages/cli/dist/index.js scan . --format both
# optional one-command convenience (update + offline scan)
node ./packages/cli/dist/index.js scan . --update-db --format bothPackage-run examples:
npx bardscan scan .
pnpm dlx bardscan scan .
bunx bardscan scan .Use these files in this repository to bootstrap daily dependency security automation:
- Add Dependabot config from
templates/dependency-guard/dependabot.ymlto.github/dependabot.yml. - Add reusable scanner workflow from
.github/workflows/reusable-bardscan.yml(or reference this repo from a central workflows repo). - Add caller workflow from
templates/dependency-guard/dependency-guard-workflow.ymlto.github/workflows/dependency-guard.yml. - Add policy automation from
.github/workflows/dependabot-pr-policy.ymlfor safe patch/minor auto-merge. - Add scheduled monitoring from
.github/workflows/dependency-monitor.ymlfor SARIF upload and issue notifications.
Pipeline-agnostic templates for GitHub, GitLab, Jenkins, CircleCI, and Azure are documented in docs/pipeline-templates.md.
Governance defaults (branch protection, alert dedupe, remediation metrics) are documented in docs/dependency-governance.md.
Defaults:
--privacy strict- offline scan (
--onlineis not enabled) - output directory:
/tmp/bardscan
Flags:
--format json|md|sarif|both(default:both)--out-dir <dir>(default:/tmp/bardscan)--fail-on critical|high|medium|low|none(default:high)--fail-on-unknown(default:false; fail when unresolved findings exist)--privacy strict|standard(default:strict)--online(deprecated; scan is offline-only and will error)--offline(force cache-only scanning)--unknown-as critical|high|medium|low|unknown(default:unknown)--refresh-cache(bypass cache reads)--update-db(rundb updatebefore scan)--osv-url <url>(custom OSV API base URL)--fallback-calls(allow extra network lookups for unresolved severities)--redact-paths(redact target/evidence paths in report outputs)--evidence none|imports--telemetry off|on(strict mode rejectson)--list-findings none|critical-high|medium-up|all(default:none)--findings-json <path>
Refreshes advisory cache using the lockfile dependency set.
Flags:
--out-dir <dir>(default:/tmp/bardscan)--refresh-cache--osv-url <url>--fallback-calls
strict(default): offline, no fallback calls, path redaction on, evidence defaults tonone, telemetry must be offstandard: offline by default, fallback calls enabled by default, path redaction off, evidence defaults toimports
To refresh advisory freshness:
bardscan db update .
bardscan scan .- lockfiles (
package-lock.json,pnpm-lock.yaml,yarn.lock,bun.lock,bun.lockb) - source files only when
--evidence importsis enabled
- package name
- package version
- ecosystem (
npm) - optional advisory IDs for detail/fallback lookups
- source code contents
- full lockfile contents
- absolute project paths
- local file contents outside advisory query metadata
{
"queries": [
{
"package": { "name": "lodash", "ecosystem": "npm" },
"version": "4.17.19"
}
]
}- cache location:
<out-dir>/.cache/osv - TTL: 24h
0: no findings at/above threshold1: findings at/above threshold2: tool error
corepack pnpm testDemo fixture: examples/vulnerable-demo
Deterministic offline demo cache: examples/vulnerable-demo/.bardscan/.cache/osv
corepack pnpm demo:scan