The command-line tool for NodeSource Certified Modules 2.0 — designed to make code quality, security, and compliance a breeze. Generate a custom project report, fetch compliance and security information, manage organizational whitelists, and inspect specific packages in greater detail — all from the command-line.
Additional NodeSource Certified Modules v2 information is available on the NodeSource documentation site.
$ npm install -g ncm-cli
$ ncm <command> [options]
$ ncm help <command>
ncm-cli supports three forms of authentication (required).
Sign-in interactively using your NodeSource account email and password.
$ ncm signin
- Using a Google account:
ncm signin -G, --google - Using a GitHub account:
ncm signin -g, --github
$ NCM_TOKEN=<token> ncm <command> [options]
Learn more about obtaining NodeSource service tokens and configuring permissions here.
Generates a project-wide report of directory risk and quality of installed or specified packages. The top five riskiest modules detected will be displayed alongside a concise project report.
The directory to generate a report from may be specified via ncm report <dir>.
Defaults to using the current working directory.
$ ncm report
╔════════════╗
║ foo Report ║
╚════════════╝
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
|➔ Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
|➔ Run `ncm report --filter=compliance` for a list
! 1 used modules whitelisted
|➔ Run `ncm whitelist --list` for a list
─────────────────────────────────────────────────────────────────────────────────────────────────
Top 5: Highest Risk Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ mime @ 1.3.4 │ |||| Crit │ ✓ MIT │ X 1L │
│ superagent @ 1.8.5 │ |||| Crit │ ✓ MIT │ X 1M 1L │
│ form-data @ 1.0.0-rc3 │ |||| High │ ✓ MIT │ ✓ 0 │
│ formidable @ 1.0.16 │ |||| High │ X UNKNOWN │ ✓ 0 │
│ mime @ 1.2.11 │ |||| High │ X UNKNOWN │ X 1L │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
A report with a list of all modules can be generated by passing --long, -l.
$ ncm report --long
╔════════════╗
║ foo Report ║
╚════════════╝
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
|➔ Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
|➔ Run `ncm report --filter=compliance` for a list
─────────────────────────────────────────────────────────────────────────────────────────────────
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ qs @ 6.3.1 │ |||| Crit │ ✓ BSD-3-Clause │ X 1H │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
─────────────────────────────────────────────────────────────────────────────────────────────────
Non-whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ mime @ 1.3.4 │ |||| Crit │ ✓ MIT │ X 1L │
│ superagent @ 1.8.5 │ |||| Crit │ ✓ MIT │ X 1M 1L │
│ form-data @ 1.0.0-rc3 │ |||| High │ ✓ MIT │ ✓ 0 │
│ formidable @ 1.0.16 │ |||| High │ X UNKNOWN │ ✓ 0 │
│ mime @ 1.2.11 │ |||| High │ X UNKNOWN │ X 1L │
│ qs @ 2.3.3 │ |||| High │ ✓ BSD-2-Clause │ X 1H │
... etc ...
│ mime-types @ 2.1.22 │ |||| None │ ✓ MIT │ ✓ 0 │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
Reports may be filtered based on any of the following flags:
--compliance, -c- only display non-compliant packages.--security, -s- only display packages with vulnerabilities.
--json, -j- Formats the report in JSON (disabled by default)
Returns a detailed report about a specific module version.
Defaults to using the latest version as published to npm if no version is provided.
$ ncm details [email protected]
╔═════════════════════════════════════════╗
║ client-request @ 2.3.0 (within ncm-cli) ║
╚═════════════════════════════════════════╝
┌──────┬───────────┐
│ |||| │ None Risk │
└──────┴───────────┘
Security Risk:
✓ 0 security vulnerabilities found
C 0 critical severity
H 0 high severity
M 0 medium severity
L 0 low severity
┌───┬─────────────────────────────┐
│ ✓ │ No Security Vulnerabilities │
└───┴─────────────────────────────┘
License Risk:
┌───┬─────┐
│ ✓ │ MIT │
└───┴─────┘
Module Risk:
┌───┬────────────────┐
│ ✓ │ No Module Risk │
└───┴────────────────┘
Code Quality (does not affect risk score):
┌───┬────────────────────────────────────────────────────────────────────────────────────────────┐
│ ! │ This package version's size on disk is 40.0 kB. │
└───┴────────────────────────────────────────────────────────────────────────────────────────────┘
Required By (leftmost is directly in your package):
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ (Directly in your package) │
└────────────────────────────────────────────────────────────────────────────────────────────┘
Runs and displays ncm details <module{@version}> with an interactive confirmation prompt.
If confirmed, attempts to run npm install <module{@version}> with any additional options provided.
The config keys installBin and installCmd can adjust this to work with other package installers if necessary.
For more information, see ncm config --help.
Display or modify your NodeSource organization’s module whitelist.
Returns a list containing each module in your NodeSource organization’s whitelist. Public modules are listed alongside their risk score, license compliance, and security summary.
$ ncm whitelist --list
╔══════════════════════════════╗
║ personal Whitelisted Modules ║
╚══════════════════════════════╝
2 modules total
─────────────────────────────────────────────────────────────────────────────────────────────────
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ express @ 4.0.0 │ |||| None │ ✓ MIT │ X 1M │
│ qs @ 6.3.1 │ |||| None │ ✓ BSD-3-Clause │ X 1H │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
Add one or more modules to your NodeSource organization’s whitelist.
Remove one or more modules from your NodeSource organization’s whitelist.
Change your active NodeSource organization, which impacts the whitelist. Defaults to an interactive prompt.
By passing an <orgname>, the interactive part may be skipped.
Input is case sensitive.
Access to various configuration settings.
For more information, use the help command: ncm config --help
Copyright 2019 NodeSource — Contributions via DCO 1.1
Licensed under the Apache License, Version 2.0 — see the LICENSE file for details.