NCM-CLI
The command-line tool for NodeSource Certified Modules 2.0 -- designed to make code quality, security, and compliance a breeze. Generate a custom project report, fetch compliance and security information, manage organizational whitelists, and inspect specific packages in greater detail -- all from the command-line.
Additional NodeSource Certified Modules v2 information is available on the NodeSource documentation site.
Installation
$ npm install -g ncm-cli
Usage
$ ncm [options]
$ ncm help
Authentication
ncm-cli supports three forms of authentication (required).
1. NodeSource Account:
Sign-in interactively using your NodeSource account email and password.
$ ncm signin
2. Single Sign-on
- Using a Google account:
ncm signin -G, --google - Using a GitHub account:
ncm signin -g, --github
3. Environment Variable (CI/CD)
$ NCM_TOKEN= ncm [options]
Learn more about obtaining NodeSource service tokens and configuring permissions here.
ncm report
Generates a project-wide report of directory risk and quality of installed or specified packages. The top five riskiest modules detected will be displayed alongside a concise project report.
The directory to generate a report from may be specified via ncm report .
Defaults to using the current working directory.
$ ncm report
+------------+
| foo Report |
+------------+
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
| Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
| Run `ncm report --filter=compliance` for a list
! 1 used modules whitelisted
| Run `ncm whitelist --list` for a list
-------------------------------------------------------------------------------------------------
Top 5: Highest Risk Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
+------------------------------------------+------------+-----------------------+---------------+
| mime @ 1.3.4 | |||| Crit | MIT | X 1L |
| superagent @ 1.8.5 | |||| Crit | MIT | X 1M 1L |
| form-data @ 1.0.0-rc3 | |||| High | MIT | 0 |
| formidable @ 1.0.16 | |||| High | X UNKNOWN | 0 |
| mime @ 1.2.11 | |||| High | X UNKNOWN | X 1L |
+------------------------------------------+------------+-----------------------+---------------+
Full Reports
A report with a list of all modules can be generated by passing --long, -l.
$ ncm report --long
+------------+
| foo Report |
+------------+
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
| Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
| Run `ncm report --filter=compliance` for a list
-------------------------------------------------------------------------------------------------
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
+------------------------------------------+------------+-----------------------+---------------+
| qs @ 6.3.1 | |||| Crit | BSD-3-Clause | X 1H |
+------------------------------------------+------------+-----------------------+---------------+
-------------------------------------------------------------------------------------------------
Non-whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
+------------------------------------------+------------+-----------------------+---------------+
| mime @ 1.3.4 | |||| Crit | MIT | X 1L |
| superagent @ 1.8.5 | |||| Crit | MIT | X 1M 1L |
| form-data @ 1.0.0-rc3 | |||| High | MIT | 0 |
| formidable @ 1.0.16 | |||| High | X UNKNOWN | 0 |
| mime @ 1.2.11 | |||| High | X UNKNOWN | X 1L |
| qs @ 2.3.3 | |||| High | BSD-2-Clause | X 1H |
... etc ...
| mime-types @ 2.1.22 | |||| None | MIT | 0 |
+------------------------------------------+------------+-----------------------+---------------+
Filters
Reports may be filtered based on any of the following flags:
--compliance, -c- only display non-compliant packages.--security, -s- only display packages with vulnerabilities.
Options
--json, -j- Formats the report in JSON (disabled by default)
ncm details
Returns a detailed report about a specific module version.
Defaults to using the latest version as published to npm if no version is provided.
$ ncm details client-request@2.3.0
+-----------------------------------------+
| client-request @ 2.3.0 (within ncm-cli) |
+-----------------------------------------+
+------+-----------+
| |||| | None Risk |
+------+-----------+
Security Risk:
0 security vulnerabilities found
C 0 critical severity
H 0 high severity
M 0 medium severity
L 0 low severity
+---+-----------------------------+
| | No Security Vulnerabilities |
+---+-----------------------------+
License Risk:
+---+-----+
| | MIT |
+---+-----+
Module Risk:
+---+----------------+
| | No Module Risk |
+---+----------------+
Code Quality (does not affect risk score):
+---+--------------------------------------------------------------------------------------------+
| ! | This package version's size on disk is 40.0 kB. |
+---+--------------------------------------------------------------------------------------------+
Required By (leftmost is directly in your package):
+--------------------------------------------------------------------------------------------+
| (Directly in your package) |
+--------------------------------------------------------------------------------------------+