@lockhawk/core 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +37 -0
- package/package.json +1 -1
package/README.md
ADDED
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# @lockhawk/core
|
|
2
|
+
|
|
3
|
+
The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk) — lockfile
|
|
4
|
+
parsing, dependency-graph building, [OSV.dev](https://osv.dev) matching, CVSS v3/v4 scoring, and
|
|
5
|
+
report generation (table, JSON, SARIF, JUnit, HTML).
|
|
6
|
+
|
|
7
|
+
> **Most people want the CLI, not this package.** To scan a project, use
|
|
8
|
+
> [`lockhawk`](https://www.npmjs.com/package/lockhawk) — `npx lockhawk scan`. Install
|
|
9
|
+
> `@lockhawk/core` only if you're building a tool on top of the engine.
|
|
10
|
+
|
|
11
|
+
## Install
|
|
12
|
+
|
|
13
|
+
```bash
|
|
14
|
+
npm install @lockhawk/core
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
## Usage
|
|
18
|
+
|
|
19
|
+
```ts
|
|
20
|
+
import { scan } from '@lockhawk/core';
|
|
21
|
+
|
|
22
|
+
const result = await scan({ path: '.', mode: 'auto', failOn: 'high' });
|
|
23
|
+
console.log(result.summary, result.findings);
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
`scan()` reads the project's lockfile (`package-lock.json`, `yarn.lock`, or `pnpm-lock.yaml`),
|
|
27
|
+
resolves the full dependency tree (including transitive dependencies), queries OSV.dev — offline
|
|
28
|
+
from a cached database or online via the batch API — and returns scored, de-duplicated findings.
|
|
29
|
+
|
|
30
|
+
## Documentation
|
|
31
|
+
|
|
32
|
+
Full docs, CLI usage, and CI/CD recipes live in the main repository:
|
|
33
|
+
**https://github.com/lockhawk/lockhawk**
|
|
34
|
+
|
|
35
|
+
## License
|
|
36
|
+
|
|
37
|
+
[MIT](https://github.com/lockhawk/lockhawk/blob/main/LICENSE)
|