JavaScript

JavaScript package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
javascript-lock-cataloger `pnpm-lock.yaml`		Transitive		Runtime
javascript-lock-cataloger `yarn.lock`		Transitive		Runtime, Dev
javascript-lock-cataloger `package-lock.json`		Transitive		Runtime
javascript-package-cataloger `package.json`		Direct		Runtime

Syft Configuration

Configuration Key	Description
`javascript.include-dev-dependencies`	Controls whether development dependencies should be included in the catalog results, in addition to production dependencies.
`javascript.npm-base-url`	Specifies the base URL for the NPM registry API used when searching for remote license information.
`javascript.search-remote-licenses`	Enables querying the NPM registry API to retrieve license information for packages that are missing license data in their local metadata.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.javascript.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

Last modified November 26, 2025: allow local too invocation (d20d613)