toolip 1.0.6 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +189 -448
- package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
- package/dist/src/analyzers/ast/rules.d.ts +48 -0
- package/dist/src/analyzers/ast/rules.js +39 -0
- package/dist/src/analyzers/ast/rules.js.map +1 -0
- package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
- package/dist/src/analyzers/ast/source-analysis.js +225 -0
- package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
- package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
- package/dist/src/analyzers/docker/analyzer.js +103 -0
- package/dist/src/analyzers/docker/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
- package/dist/src/analyzers/git-history/analyzer.js +157 -0
- package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
- package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
- package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
- package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
- package/dist/src/analyzers/reachability/import-graph.js +110 -0
- package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
- package/dist/src/analyzers/vulnerability/severity.js +13 -0
- package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
- package/dist/src/application/analyzer-runner.d.ts +12 -0
- package/dist/src/application/analyzer-runner.js +45 -0
- package/dist/src/application/analyzer-runner.js.map +1 -0
- package/dist/src/commands/alternatives.d.ts +2 -0
- package/dist/src/commands/alternatives.js +17 -0
- package/dist/src/commands/alternatives.js.map +1 -0
- package/dist/src/commands/announce.d.ts +2 -0
- package/dist/src/commands/announce.js +27 -0
- package/dist/src/commands/announce.js.map +1 -0
- package/dist/src/commands/ast-scan.d.ts +2 -0
- package/dist/src/commands/ast-scan.js +86 -0
- package/dist/src/commands/ast-scan.js.map +1 -0
- package/dist/src/commands/audit-repo.d.ts +2 -0
- package/dist/src/commands/audit-repo.js +20 -0
- package/dist/src/commands/audit-repo.js.map +1 -0
- package/dist/src/commands/compare.d.ts +2 -0
- package/dist/src/commands/compare.js +19 -0
- package/dist/src/commands/compare.js.map +1 -0
- package/dist/src/commands/config.d.ts +2 -0
- package/dist/src/commands/config.js +69 -0
- package/dist/src/commands/config.js.map +1 -0
- package/dist/src/commands/dependency-confusion.d.ts +2 -0
- package/dist/src/commands/dependency-confusion.js +37 -0
- package/dist/src/commands/dependency-confusion.js.map +1 -0
- package/dist/src/commands/diff.d.ts +2 -0
- package/dist/src/commands/diff.js +24 -0
- package/dist/src/commands/diff.js.map +1 -0
- package/dist/src/commands/docker-scan.d.ts +2 -0
- package/dist/src/commands/docker-scan.js +34 -0
- package/dist/src/commands/docker-scan.js.map +1 -0
- package/dist/src/commands/doctor.d.ts +2 -0
- package/dist/src/commands/doctor.js +42 -0
- package/dist/src/commands/doctor.js.map +1 -0
- package/dist/src/commands/git-audit.d.ts +2 -0
- package/dist/src/commands/git-audit.js +37 -0
- package/dist/src/commands/git-audit.js.map +1 -0
- package/dist/src/commands/git-history.d.ts +2 -0
- package/dist/src/commands/git-history.js +40 -0
- package/dist/src/commands/git-history.js.map +1 -0
- package/dist/src/commands/history.d.ts +2 -0
- package/dist/src/commands/history.js +69 -0
- package/dist/src/commands/history.js.map +1 -0
- package/dist/src/commands/hook.d.ts +2 -0
- package/dist/src/commands/hook.js +16 -0
- package/dist/src/commands/hook.js.map +1 -0
- package/dist/src/commands/inspect.d.ts +2 -0
- package/dist/src/commands/inspect.js +24 -0
- package/dist/src/commands/inspect.js.map +1 -0
- package/dist/src/commands/install-scripts.d.ts +2 -0
- package/dist/src/commands/install-scripts.js +52 -0
- package/dist/src/commands/install-scripts.js.map +1 -0
- package/dist/src/commands/learn.d.ts +2 -0
- package/dist/src/commands/learn.js +42 -0
- package/dist/src/commands/learn.js.map +1 -0
- package/dist/src/commands/licenses.d.ts +2 -0
- package/dist/src/commands/licenses.js +40 -0
- package/dist/src/commands/licenses.js.map +1 -0
- package/dist/src/commands/mcp.d.ts +2 -0
- package/dist/src/commands/mcp.js +10 -0
- package/dist/src/commands/mcp.js.map +1 -0
- package/dist/src/commands/monorepo.d.ts +2 -0
- package/dist/src/commands/monorepo.js +21 -0
- package/dist/src/commands/monorepo.js.map +1 -0
- package/dist/src/commands/package-health.d.ts +2 -0
- package/dist/src/commands/package-health.js +50 -0
- package/dist/src/commands/package-health.js.map +1 -0
- package/dist/src/commands/pre-commit.d.ts +2 -0
- package/dist/src/commands/pre-commit.js +37 -0
- package/dist/src/commands/pre-commit.js.map +1 -0
- package/dist/src/commands/profile.d.ts +2 -0
- package/dist/src/commands/profile.js +18 -0
- package/dist/src/commands/profile.js.map +1 -0
- package/dist/src/commands/publish.d.ts +2 -0
- package/dist/src/commands/publish.js +25 -0
- package/dist/src/commands/publish.js.map +1 -0
- package/dist/src/commands/reachability.d.ts +2 -0
- package/dist/src/commands/reachability.js +47 -0
- package/dist/src/commands/reachability.js.map +1 -0
- package/dist/src/commands/sbom.d.ts +2 -0
- package/dist/src/commands/sbom.js +33 -0
- package/dist/src/commands/sbom.js.map +1 -0
- package/dist/src/commands/scan.d.ts +2 -0
- package/dist/src/commands/scan.js +48 -0
- package/dist/src/commands/scan.js.map +1 -0
- package/dist/src/commands/score.d.ts +2 -0
- package/dist/src/commands/score.js +24 -0
- package/dist/src/commands/score.js.map +1 -0
- package/dist/src/commands/self-test.d.ts +2 -0
- package/dist/src/commands/self-test.js +63 -0
- package/dist/src/commands/self-test.js.map +1 -0
- package/dist/src/commands/tree.d.ts +2 -0
- package/dist/src/commands/tree.js +21 -0
- package/dist/src/commands/tree.js.map +1 -0
- package/dist/src/commands/upgrade-pr.d.ts +2 -0
- package/dist/src/commands/upgrade-pr.js +15 -0
- package/dist/src/commands/upgrade-pr.js.map +1 -0
- package/dist/src/commands/vault.d.ts +2 -0
- package/dist/src/commands/vault.js +86 -0
- package/dist/src/commands/vault.js.map +1 -0
- package/dist/src/commands/vulnerabilities.d.ts +2 -0
- package/dist/src/commands/vulnerabilities.js +42 -0
- package/dist/src/commands/vulnerabilities.js.map +1 -0
- package/dist/src/commands/watch.d.ts +2 -0
- package/dist/src/commands/watch.js +34 -0
- package/dist/src/commands/watch.js.map +1 -0
- package/dist/src/config/version.d.ts +6 -0
- package/dist/src/config/version.js +29 -0
- package/dist/src/config/version.js.map +1 -0
- package/dist/src/contracts/analyzer.d.ts +23 -0
- package/dist/src/contracts/analyzer.js +2 -0
- package/dist/src/contracts/analyzer.js.map +1 -0
- package/dist/src/contracts/finding.d.ts +35 -0
- package/dist/src/contracts/finding.js +13 -0
- package/dist/src/contracts/finding.js.map +1 -0
- package/dist/src/contracts/report.d.ts +30 -0
- package/dist/src/contracts/report.js +2 -0
- package/dist/src/contracts/report.js.map +1 -0
- package/dist/src/contracts/rule.d.ts +12 -0
- package/dist/src/contracts/rule.js +7 -0
- package/dist/src/contracts/rule.js.map +1 -0
- package/dist/src/core/alternatives.d.ts +8 -0
- package/dist/src/core/alternatives.js +35 -0
- package/dist/src/core/alternatives.js.map +1 -0
- package/dist/src/core/analyze-package.d.ts +2 -0
- package/dist/src/core/analyze-package.js +49 -0
- package/dist/src/core/analyze-package.js.map +1 -0
- package/dist/src/core/announce/generate.d.ts +9 -0
- package/dist/src/core/announce/generate.js +19 -0
- package/dist/src/core/announce/generate.js.map +1 -0
- package/dist/src/core/compare-packages.d.ts +7 -0
- package/dist/src/core/compare-packages.js +19 -0
- package/dist/src/core/compare-packages.js.map +1 -0
- package/dist/src/core/config/load.d.ts +3 -0
- package/dist/src/core/config/load.js +21 -0
- package/dist/src/core/config/load.js.map +1 -0
- package/dist/src/core/config/policy.d.ts +3 -0
- package/dist/src/core/config/policy.js +48 -0
- package/dist/src/core/config/policy.js.map +1 -0
- package/dist/src/core/config/schema.d.ts +172 -0
- package/dist/src/core/config/schema.js +84 -0
- package/dist/src/core/config/schema.js.map +1 -0
- package/dist/src/core/dependencies/inventory.d.ts +9 -0
- package/dist/src/core/dependencies/inventory.js +43 -0
- package/dist/src/core/dependencies/inventory.js.map +1 -0
- package/dist/src/core/dependency-scan.d.ts +17 -0
- package/dist/src/core/dependency-scan.js +70 -0
- package/dist/src/core/dependency-scan.js.map +1 -0
- package/dist/src/core/dependency-tree.d.ts +16 -0
- package/dist/src/core/dependency-tree.js +19 -0
- package/dist/src/core/dependency-tree.js.map +1 -0
- package/dist/src/core/dependency-types.d.ts +17 -0
- package/dist/src/core/dependency-types.js +2 -0
- package/dist/src/core/dependency-types.js.map +1 -0
- package/dist/src/core/diff/security-diff.d.ts +10 -0
- package/dist/src/core/diff/security-diff.js +20 -0
- package/dist/src/core/diff/security-diff.js.map +1 -0
- package/dist/src/core/file-walker.d.ts +6 -0
- package/dist/src/core/file-walker.js +27 -0
- package/dist/src/core/file-walker.js.map +1 -0
- package/dist/src/core/git-audit.d.ts +12 -0
- package/dist/src/core/git-audit.js +111 -0
- package/dist/src/core/git-audit.js.map +1 -0
- package/dist/src/core/github/remote-audit.d.ts +5 -0
- package/dist/src/core/github/remote-audit.js +28 -0
- package/dist/src/core/github/remote-audit.js.map +1 -0
- package/dist/src/core/github/upgrade-pr.d.ts +4 -0
- package/dist/src/core/github/upgrade-pr.js +41 -0
- package/dist/src/core/github/upgrade-pr.js.map +1 -0
- package/dist/src/core/history/git-metadata.d.ts +5 -0
- package/dist/src/core/history/git-metadata.js +37 -0
- package/dist/src/core/history/git-metadata.js.map +1 -0
- package/dist/src/core/history/store.d.ts +5 -0
- package/dist/src/core/history/store.js +65 -0
- package/dist/src/core/history/store.js.map +1 -0
- package/dist/src/core/history/types.d.ts +27 -0
- package/dist/src/core/history/types.js +2 -0
- package/dist/src/core/history/types.js.map +1 -0
- package/dist/src/core/hooks.d.ts +1 -0
- package/dist/src/core/hooks.js +14 -0
- package/dist/src/core/hooks.js.map +1 -0
- package/dist/src/core/learn.d.ts +11 -0
- package/dist/src/core/learn.js +163 -0
- package/dist/src/core/learn.js.map +1 -0
- package/dist/src/core/license-analysis.d.ts +18 -0
- package/dist/src/core/license-analysis.js +98 -0
- package/dist/src/core/license-analysis.js.map +1 -0
- package/dist/src/core/load-toolip-ignore.d.ts +5 -0
- package/dist/src/core/load-toolip-ignore.js +35 -0
- package/dist/src/core/load-toolip-ignore.js.map +1 -0
- package/dist/src/core/monorepo/discover.d.ts +7 -0
- package/dist/src/core/monorepo/discover.js +49 -0
- package/dist/src/core/monorepo/discover.js.map +1 -0
- package/dist/src/core/npm-registry.d.ts +3 -0
- package/dist/src/core/npm-registry.js +5 -0
- package/dist/src/core/npm-registry.js.map +1 -0
- package/dist/src/core/pre-commit.d.ts +11 -0
- package/dist/src/core/pre-commit.js +22 -0
- package/dist/src/core/pre-commit.js.map +1 -0
- package/dist/src/core/profile-project.d.ts +23 -0
- package/dist/src/core/profile-project.js +119 -0
- package/dist/src/core/profile-project.js.map +1 -0
- package/dist/src/core/publish/html.d.ts +6 -0
- package/dist/src/core/publish/html.js +44 -0
- package/dist/src/core/publish/html.js.map +1 -0
- package/dist/src/core/read-dependencies.d.ts +2 -0
- package/dist/src/core/read-dependencies.js +24 -0
- package/dist/src/core/read-dependencies.js.map +1 -0
- package/dist/src/core/report-writer.d.ts +5 -0
- package/dist/src/core/report-writer.js +61 -0
- package/dist/src/core/report-writer.js.map +1 -0
- package/dist/src/core/report.d.ts +34 -0
- package/dist/src/core/report.js +26 -0
- package/dist/src/core/report.js.map +1 -0
- package/dist/src/core/risk-score.d.ts +5 -0
- package/dist/src/core/risk-score.js +14 -0
- package/dist/src/core/risk-score.js.map +1 -0
- package/dist/src/core/sbom/generate.d.ts +2 -0
- package/dist/src/core/sbom/generate.js +120 -0
- package/dist/src/core/sbom/generate.js.map +1 -0
- package/dist/src/core/scanner-context.d.ts +12 -0
- package/dist/src/core/scanner-context.js +27 -0
- package/dist/src/core/scanner-context.js.map +1 -0
- package/dist/src/core/score.d.ts +13 -0
- package/dist/src/core/score.js +44 -0
- package/dist/src/core/score.js.map +1 -0
- package/dist/src/core/security-doctor.d.ts +12 -0
- package/dist/src/core/security-doctor.js +158 -0
- package/dist/src/core/security-doctor.js.map +1 -0
- package/dist/src/core/security-patterns.d.ts +14 -0
- package/dist/src/core/security-patterns.js +139 -0
- package/dist/src/core/security-patterns.js.map +1 -0
- package/dist/src/core/typosquat.d.ts +6 -0
- package/dist/src/core/typosquat.js +50 -0
- package/dist/src/core/typosquat.js.map +1 -0
- package/dist/src/core/vault.d.ts +48 -0
- package/dist/src/core/vault.js +127 -0
- package/dist/src/core/vault.js.map +1 -0
- package/dist/src/core/watch/watch.d.ts +5 -0
- package/dist/src/core/watch/watch.js +49 -0
- package/dist/src/core/watch/watch.js.map +1 -0
- package/dist/src/errors/toolip-error.d.ts +8 -0
- package/dist/src/errors/toolip-error.js +11 -0
- package/dist/src/errors/toolip-error.js.map +1 -0
- package/dist/src/index.d.ts +2 -0
- package/dist/src/index.js +89 -0
- package/dist/src/index.js.map +1 -0
- package/dist/src/mcp/server.d.ts +1 -0
- package/dist/src/mcp/server.js +64 -0
- package/dist/src/mcp/server.js.map +1 -0
- package/dist/src/providers/depsdev/client.d.ts +71 -0
- package/dist/src/providers/depsdev/client.js +44 -0
- package/dist/src/providers/depsdev/client.js.map +1 -0
- package/dist/src/providers/osv/client.d.ts +15 -0
- package/dist/src/providers/osv/client.js +51 -0
- package/dist/src/providers/osv/client.js.map +1 -0
- package/dist/src/providers/osv/types.d.ts +38 -0
- package/dist/src/providers/osv/types.js +2 -0
- package/dist/src/providers/osv/types.js.map +1 -0
- package/dist/src/storage/memory-cache.d.ts +7 -0
- package/dist/src/storage/memory-cache.js +25 -0
- package/dist/src/storage/memory-cache.js.map +1 -0
- package/dist/src/utils/error-handler.d.ts +1 -0
- package/dist/src/utils/error-handler.js +24 -0
- package/dist/src/utils/error-handler.js.map +1 -0
- package/dist/src/utils/output.d.ts +6 -0
- package/dist/src/utils/output.js +72 -0
- package/dist/src/utils/output.js.map +1 -0
- package/dist/src/utils/package-output.d.ts +4 -0
- package/dist/src/utils/package-output.js +40 -0
- package/dist/src/utils/package-output.js.map +1 -0
- package/package.json +13 -8
package/README.md
CHANGED
|
@@ -1,599 +1,340 @@
|
|
|
1
1
|
# Toolip
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
<strong>Developer-First Supply Chain Security, Security Hygiene, and Secrets Management CLI</strong>
|
|
5
|
-
</p>
|
|
3
|
+
Developer-first supply-chain security, dependency intelligence, security auditing, Git safety, and encrypted local secrets management from the terminal.
|
|
6
4
|
|
|
7
|
-
|
|
8
|
-
Dependency Intelligence • Security Auditing • Secret Detection • Git Security • Learning Mode • Encrypted Vault
|
|
9
|
-
</p>
|
|
5
|
+
Toolip helps developers inspect what enters their applications, identify risky code and configuration, protect credentials, understand dependency health, and improve project security without requiring a hosted account or dashboard.
|
|
10
6
|
|
|
11
|
-
|
|
7
|
+
## Status
|
|
12
8
|
|
|
13
|
-
|
|
9
|
+
The latest stable release is Toolip v2.0.0.
|
|
14
10
|
|
|
15
|
-
Toolip is
|
|
11
|
+
Toolip v2.0.0 is the current stable release. It combines local vulnerability intelligence, AST-based security analysis, supply-chain auditing, Git security, container checks, SBOM generation, configurable policy, shareable reports, GitHub workflows, and a read-only MCP server.
|
|
16
12
|
|
|
17
|
-
|
|
13
|
+
## Why Toolip Exists
|
|
18
14
|
|
|
19
|
-
|
|
15
|
+
Modern applications rely on large dependency graphs, external services, environment secrets, package lifecycle scripts, Git history, containers, and automated delivery pipelines. Security issues often enter through ordinary development decisions rather than obviously malicious code.
|
|
20
16
|
|
|
21
|
-
|
|
17
|
+
Toolip brings security checks closer to the developer. It is designed to explain findings, distinguish confidence levels, provide practical remediation, and operate locally by default.
|
|
22
18
|
|
|
23
|
-
Toolip
|
|
19
|
+
Toolip does not aim to replace enterprise security platforms. It focuses on useful, understandable checks developers can run during normal development.
|
|
24
20
|
|
|
25
|
-
|
|
26
|
-
* Dependency Intelligence
|
|
27
|
-
* Developer Security Auditing
|
|
28
|
-
* Secret Detection
|
|
29
|
-
* Git Security
|
|
30
|
-
* Security Scorecards
|
|
31
|
-
* Encrypted Local Secret Storage
|
|
32
|
-
* Security Learning Resources
|
|
21
|
+
## Design Principles
|
|
33
22
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
---
|
|
45
|
-
|
|
46
|
-
## Why Toolip?
|
|
47
|
-
|
|
48
|
-
Most tools stop at:
|
|
49
|
-
|
|
50
|
-
```text
|
|
51
|
-
Security issue found.
|
|
52
|
-
```
|
|
53
|
-
|
|
54
|
-
Toolip goes further:
|
|
55
|
-
|
|
56
|
-
* What is wrong?
|
|
57
|
-
* Why does it matter?
|
|
58
|
-
* How risky is it?
|
|
59
|
-
* How do you fix it?
|
|
60
|
-
* What alternatives exist?
|
|
61
|
-
* How can you prevent it in future?
|
|
62
|
-
|
|
63
|
-
The goal is to help developers understand security while improving security posture.
|
|
64
|
-
|
|
65
|
-
---
|
|
23
|
+
- Local-first and privacy-conscious
|
|
24
|
+
- Free and useful without an account
|
|
25
|
+
- Deterministic analysis where possible
|
|
26
|
+
- Explicit confidence for heuristic findings
|
|
27
|
+
- Stable, machine-readable output
|
|
28
|
+
- Actionable remediation
|
|
29
|
+
- Bounded resource usage
|
|
30
|
+
- Opt-in remote integrations
|
|
31
|
+
- Verified npm release artifacts
|
|
32
|
+
- One shared analysis engine across every interface
|
|
66
33
|
|
|
67
34
|
## Installation
|
|
68
35
|
|
|
69
|
-
|
|
36
|
+
Install the latest stable release globally:
|
|
70
37
|
|
|
71
38
|
```bash
|
|
72
39
|
npm install -g toolip
|
|
73
40
|
```
|
|
74
41
|
|
|
75
|
-
Verify installation:
|
|
42
|
+
Verify the installation:
|
|
76
43
|
|
|
77
44
|
```bash
|
|
78
45
|
toolip --version
|
|
46
|
+
toolip self-test
|
|
47
|
+
toolip --help
|
|
79
48
|
```
|
|
80
49
|
|
|
81
|
-
---
|
|
82
|
-
|
|
83
50
|
## Quick Start
|
|
84
51
|
|
|
85
|
-
|
|
52
|
+
Profile the current project:
|
|
86
53
|
|
|
87
54
|
```bash
|
|
88
55
|
toolip profile
|
|
56
|
+
```
|
|
89
57
|
|
|
90
|
-
|
|
58
|
+
Scan dependencies and project security:
|
|
91
59
|
|
|
60
|
+
```bash
|
|
61
|
+
toolip scan
|
|
92
62
|
toolip doctor
|
|
93
|
-
|
|
94
63
|
toolip score
|
|
95
64
|
```
|
|
96
65
|
|
|
97
|
-
|
|
66
|
+
Audit Git safety:
|
|
98
67
|
|
|
99
68
|
```bash
|
|
100
69
|
toolip git-audit
|
|
101
|
-
|
|
102
70
|
toolip pre-commit
|
|
103
71
|
```
|
|
104
72
|
|
|
105
|
-
Inspect
|
|
73
|
+
Inspect dependency choices:
|
|
106
74
|
|
|
107
75
|
```bash
|
|
108
76
|
toolip inspect express
|
|
109
|
-
|
|
110
77
|
toolip compare axios got
|
|
111
|
-
|
|
78
|
+
toolip licenses
|
|
79
|
+
toolip tree
|
|
112
80
|
toolip alternatives request
|
|
113
81
|
```
|
|
114
82
|
|
|
115
|
-
|
|
83
|
+
Use the local encrypted vault:
|
|
116
84
|
|
|
117
85
|
```bash
|
|
118
86
|
toolip vault init
|
|
119
|
-
|
|
120
87
|
toolip vault set DATABASE_URL
|
|
121
|
-
|
|
88
|
+
toolip vault list
|
|
122
89
|
toolip vault get DATABASE_URL
|
|
123
90
|
```
|
|
124
91
|
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
# Features
|
|
128
|
-
|
|
129
|
-
---
|
|
130
|
-
|
|
131
|
-
## Project Fingerprinting
|
|
132
|
-
|
|
133
|
-
```bash
|
|
134
|
-
toolip profile
|
|
135
|
-
```
|
|
136
|
-
|
|
137
|
-
Detects technologies used within a project.
|
|
138
|
-
|
|
139
|
-
Examples:
|
|
140
|
-
|
|
141
|
-
* Node.js
|
|
142
|
-
* TypeScript
|
|
143
|
-
* Fastify
|
|
144
|
-
* Express
|
|
145
|
-
* React
|
|
146
|
-
* PostgreSQL
|
|
147
|
-
* MongoDB
|
|
148
|
-
* Redis
|
|
149
|
-
|
|
150
|
-
Provides technology-aware recommendations.
|
|
151
|
-
|
|
152
|
-
---
|
|
153
|
-
|
|
154
|
-
## Dependency Scanning
|
|
92
|
+
Learn security concepts from the terminal:
|
|
155
93
|
|
|
156
94
|
```bash
|
|
157
|
-
toolip
|
|
95
|
+
toolip learn cors
|
|
96
|
+
toolip learn jwt
|
|
97
|
+
toolip learn dependencies
|
|
158
98
|
```
|
|
159
99
|
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
100
|
+
## Current Commands
|
|
101
|
+
|
|
102
|
+
| Command | Purpose |
|
|
103
|
+
| --- | --- |
|
|
104
|
+
| `toolip self-test` | Run internal diagnostics |
|
|
105
|
+
| `toolip profile` | Detect project technologies and structure |
|
|
106
|
+
| `toolip scan` | Analyze dependency and project risk |
|
|
107
|
+
| `toolip vulnerabilities` | Match resolved npm dependencies against OSV.dev |
|
|
108
|
+
| `toolip ast-scan` | Analyze JavaScript and TypeScript through the TypeScript Compiler API |
|
|
109
|
+
| `toolip reachability` | Show package usage observed in source imports |
|
|
110
|
+
| `toolip install-scripts` | Inspect npm lifecycle scripts for suspicious behavior indicators |
|
|
111
|
+
| `toolip sbom` | Generate CycloneDX 1.5 or SPDX 2.3 JSON |
|
|
112
|
+
| `toolip history` | Inspect local security history and score trends |
|
|
113
|
+
| `toolip config` | Initialize and validate Toolip policy configuration |
|
|
114
|
+
| `toolip package-health <package> <version>` | Inspect package metadata and provenance through deps.dev |
|
|
115
|
+
| `toolip dependency-confusion` | Check internal-looking package names against public npm |
|
|
116
|
+
| `toolip git-history` | Scan local Git history for deleted or historical secrets |
|
|
117
|
+
| `toolip doctor` | Run security hygiene checks |
|
|
118
|
+
| `toolip score` | Calculate a project security score |
|
|
119
|
+
| `toolip inspect <package>` | Inspect npm package metadata and risk signals |
|
|
120
|
+
| `toolip compare <packages...>` | Compare package health and maintenance signals |
|
|
121
|
+
| `toolip licenses` | Analyze dependency licenses |
|
|
122
|
+
| `toolip alternatives <package>` | Suggest maintained package alternatives |
|
|
123
|
+
| `toolip tree` | Display dependency relationships |
|
|
124
|
+
| `toolip vault` | Manage encrypted local secrets |
|
|
125
|
+
| `toolip git-audit` | Audit repository and ignore-file safety |
|
|
126
|
+
| `toolip pre-commit` | Run blocking security checks before commit |
|
|
127
|
+
| `toolip hook install` | Install the Toolip pre-commit hook |
|
|
128
|
+
| `toolip learn [topic]` | Read secure-development lessons |
|
|
129
|
+
| `toolip docker-scan` | Scan Dockerfiles for risky container patterns |
|
|
130
|
+
| `toolip monorepo` | Discover npm and pnpm workspace packages |
|
|
131
|
+
| `toolip audit-repo <url>` | Audit a public GitHub repository through `gh` |
|
|
132
|
+
| `toolip upgrade-pr <package> <version>` | Create a tested dependency-upgrade PR |
|
|
133
|
+
| `toolip diff <base> [head]` | Summarize security-relevant Git changes |
|
|
134
|
+
| `toolip publish` | Generate a static HTML security report |
|
|
135
|
+
| `toolip watch` | Continuously rerun security checks as files change |
|
|
136
|
+
| `toolip announce` | Generate a deterministic security update summary |
|
|
137
|
+
| `toolip mcp` | Start the read-only Toolip MCP server over stdio |
|
|
138
|
+
|
|
139
|
+
Use command-specific help for current options:
|
|
175
140
|
|
|
176
141
|
```bash
|
|
177
|
-
toolip
|
|
142
|
+
toolip doctor --help
|
|
143
|
+
toolip scan --help
|
|
144
|
+
toolip vault --help
|
|
178
145
|
```
|
|
179
146
|
|
|
180
|
-
|
|
147
|
+
## Core Capabilities
|
|
181
148
|
|
|
182
|
-
|
|
183
|
-
* Maintainer information
|
|
184
|
-
* Deprecation status
|
|
185
|
-
* Package metadata
|
|
186
|
-
* Risk score
|
|
149
|
+
### Dependency Intelligence
|
|
187
150
|
|
|
188
|
-
|
|
151
|
+
Toolip reads project manifests and lockfiles, identifies outdated or deprecated dependencies, inspects package metadata, compares alternatives, reports license distribution, and visualizes dependency relationships.
|
|
189
152
|
|
|
190
|
-
|
|
153
|
+
### AST Security Analysis
|
|
191
154
|
|
|
192
|
-
|
|
155
|
+
Toolip uses the TypeScript Compiler API for semantic dangerous-code checks. It resolves supported imports and call targets instead of treating every matching method name as the same operation.
|
|
193
156
|
|
|
194
|
-
|
|
195
|
-
toolip compare axios got
|
|
196
|
-
```
|
|
157
|
+
This prevents regular-expression calls such as `RegExp.exec()` from being reported as shell execution while retaining detection of resolved `child_process.exec()`, `execSync()`, `eval()`, and dynamic `Function` construction.
|
|
197
158
|
|
|
198
|
-
|
|
159
|
+
See [docs/AST-SECURITY.md](docs/AST-SECURITY.md).
|
|
199
160
|
|
|
200
|
-
|
|
201
|
-
* Risk indicators
|
|
202
|
-
* Maintenance activity
|
|
203
|
-
* General package health
|
|
161
|
+
### Reachability Analysis
|
|
204
162
|
|
|
205
|
-
|
|
163
|
+
Toolip maps resolved npm packages to JavaScript and TypeScript imports. It reports observed, possibly reachable, and not-observed states without claiming that static absence proves safety.
|
|
206
164
|
|
|
207
|
-
|
|
165
|
+
See [docs/REACHABILITY.md](docs/REACHABILITY.md).
|
|
208
166
|
|
|
209
|
-
|
|
167
|
+
### Install-Script Analysis
|
|
210
168
|
|
|
211
|
-
|
|
212
|
-
toolip alternatives request
|
|
213
|
-
```
|
|
169
|
+
Toolip inspects npm lifecycle scripts without executing them. It reports network access, shell execution, filesystem changes, obfuscation, and environment-access indicators with explicit confidence.
|
|
214
170
|
|
|
215
|
-
|
|
171
|
+
See [docs/INSTALL-SCRIPT-ANALYSIS.md](docs/INSTALL-SCRIPT-ANALYSIS.md).
|
|
216
172
|
|
|
217
|
-
|
|
218
|
-
* Legacy
|
|
219
|
-
* Poorly maintained
|
|
173
|
+
### Software Bill of Materials
|
|
220
174
|
|
|
221
|
-
|
|
175
|
+
Toolip generates CycloneDX 1.5 and SPDX 2.3 JSON documents from resolved npm dependencies.
|
|
222
176
|
|
|
223
|
-
|
|
177
|
+
See [docs/SBOM.md](docs/SBOM.md).
|
|
224
178
|
|
|
225
|
-
|
|
226
|
-
toolip tree
|
|
227
|
-
```
|
|
179
|
+
### Security Auditing
|
|
228
180
|
|
|
229
|
-
|
|
181
|
+
Toolip checks source and configuration files for secret exposure, unsafe execution, weak security configuration, open CORS policies, JWT risks, missing security-header verification, and other security hygiene concerns.
|
|
230
182
|
|
|
231
|
-
|
|
183
|
+
### Git Safety
|
|
232
184
|
|
|
233
|
-
|
|
234
|
-
* Dependency depth
|
|
235
|
-
* Transitive relationships
|
|
185
|
+
Toolip audits sensitive file patterns, ignore rules, committed artifacts, and pre-commit risks. Git hooks can run Toolip checks before changes enter repository history.
|
|
236
186
|
|
|
237
|
-
|
|
187
|
+
### Local Secrets Management
|
|
238
188
|
|
|
239
|
-
|
|
189
|
+
Toolip Vault provides password-protected local encryption for development secrets. Vault data remains on the user's machine and does not require accounts, synchronization, or hosted storage.
|
|
240
190
|
|
|
241
|
-
|
|
191
|
+
### Security Education
|
|
242
192
|
|
|
243
|
-
|
|
244
|
-
toolip licenses
|
|
245
|
-
```
|
|
246
|
-
|
|
247
|
-
Analyzes project licensing.
|
|
248
|
-
|
|
249
|
-
Provides:
|
|
250
|
-
|
|
251
|
-
* License inventory
|
|
252
|
-
* License distribution
|
|
253
|
-
* Restrictive license warnings
|
|
193
|
+
Learning mode explains security concepts, common mistakes, practical risks, secure alternatives, and recommended development practices.
|
|
254
194
|
|
|
255
|
-
|
|
195
|
+
### Reports
|
|
256
196
|
|
|
257
|
-
|
|
197
|
+
Commands can produce terminal output and machine-readable reports for automation. Toolip v2 introduces a versioned report schema shared across scanning, history, diffs, publishing, watch mode, and MCP tools.
|
|
258
198
|
|
|
259
|
-
|
|
260
|
-
toolip doctor
|
|
261
|
-
```
|
|
199
|
+
## Architecture
|
|
262
200
|
|
|
263
|
-
|
|
201
|
+
Toolip v2 separates interfaces, application services, analyzers, providers, contracts, reporting, and storage.
|
|
264
202
|
|
|
265
|
-
|
|
203
|
+
Commands handle input and presentation. Application services orchestrate work. Analyzers return normalized findings. Providers isolate Git, filesystem, package registry, vulnerability database, and GitHub access. Storage implementations manage cache, policy, history, and baselines.
|
|
266
204
|
|
|
267
|
-
|
|
205
|
+
This structure allows CLI commands, future watch mode, HTML reports, GitHub automation, and the MCP server to reuse one security engine.
|
|
268
206
|
|
|
269
|
-
|
|
207
|
+
See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for the architectural model and [docs/ENGINEERING.md](docs/ENGINEERING.md) for development standards.
|
|
270
208
|
|
|
271
|
-
|
|
272
|
-
* API keys
|
|
273
|
-
* JWT secrets
|
|
274
|
-
* AWS credentials
|
|
275
|
-
* Private keys
|
|
276
|
-
* Hardcoded passwords
|
|
209
|
+
## Toolip v2 Capabilities
|
|
277
210
|
|
|
278
|
-
|
|
211
|
+
Toolip v2.0.0 includes:
|
|
279
212
|
|
|
280
|
-
|
|
213
|
+
- OSV-backed CVE and vulnerability matching
|
|
214
|
+
- AST-based JavaScript and TypeScript security analysis
|
|
215
|
+
- package reachability evidence
|
|
216
|
+
- npm lifecycle-script inspection
|
|
217
|
+
- CycloneDX and SPDX SBOM generation
|
|
218
|
+
- historical security trends
|
|
219
|
+
- project policy and severity configuration
|
|
220
|
+
- deps.dev package intelligence
|
|
221
|
+
- dependency-confusion detection
|
|
222
|
+
- full Git-history secret scanning
|
|
223
|
+
- Dockerfile and container configuration analysis
|
|
224
|
+
- monorepo-aware discovery
|
|
225
|
+
- remote public repository audits
|
|
226
|
+
- tested dependency-upgrade pull requests
|
|
227
|
+
- security diffs between commits and branches
|
|
228
|
+
- static HTML report generation
|
|
229
|
+
- real-time terminal watch mode
|
|
230
|
+
- deterministic release-summary generation
|
|
231
|
+
- a read-only MCP server
|
|
281
232
|
|
|
282
|
-
|
|
283
|
-
* Function constructor usage
|
|
284
|
-
* Unsafe shell execution
|
|
285
|
-
* Dangerous runtime patterns
|
|
233
|
+
Remote repository audits and pull-request creation remain opt-in and use the user's own GitHub authorization.
|
|
286
234
|
|
|
287
|
-
|
|
235
|
+
## Configuration
|
|
288
236
|
|
|
289
|
-
|
|
237
|
+
Toolip currently supports `.toolipignore` for scan exclusions.
|
|
290
238
|
|
|
291
|
-
|
|
292
|
-
* Insecure configuration patterns
|
|
293
|
-
* Weak environment practices
|
|
239
|
+
Toolip v2 will introduce a versioned `toolip.config.json` schema supporting path policies, rule severity overrides, test-fixture treatment, suppressions with reasons and expiry dates, provider settings, cache controls, and monorepo behavior.
|
|
294
240
|
|
|
295
|
-
|
|
241
|
+
## Output and Automation
|
|
296
242
|
|
|
297
|
-
|
|
243
|
+
Toolip commands use non-zero exit codes for blocking failures where appropriate. Machine-readable reports are intended for CI, review workflows, historical comparison, and integration with other tools.
|
|
298
244
|
|
|
299
|
-
|
|
300
|
-
* X-Frame-Options
|
|
301
|
-
* X-Content-Type-Options
|
|
302
|
-
* Strict-Transport-Security
|
|
245
|
+
Toolip v2 reports include:
|
|
303
246
|
|
|
304
|
-
|
|
247
|
+
- report schema version
|
|
248
|
+
- Toolip version
|
|
249
|
+
- project identity
|
|
250
|
+
- summary counts
|
|
251
|
+
- normalized findings
|
|
252
|
+
- analyzer metadata
|
|
253
|
+
- provider status
|
|
254
|
+
- generation timestamp
|
|
305
255
|
|
|
306
|
-
|
|
256
|
+
## Development
|
|
307
257
|
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
## Git Audit
|
|
258
|
+
Install dependencies:
|
|
311
259
|
|
|
312
260
|
```bash
|
|
313
|
-
|
|
261
|
+
npm ci
|
|
314
262
|
```
|
|
315
263
|
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
Checks for:
|
|
319
|
-
|
|
320
|
-
* Sensitive files
|
|
321
|
-
* Weak ignore rules
|
|
322
|
-
* Dangerous artifacts
|
|
323
|
-
* Common security mistakes
|
|
324
|
-
|
|
325
|
-
---
|
|
326
|
-
|
|
327
|
-
## Pre-Commit Checks
|
|
264
|
+
Run the complete verification suite:
|
|
328
265
|
|
|
329
266
|
```bash
|
|
330
|
-
|
|
267
|
+
npm run verify
|
|
331
268
|
```
|
|
332
269
|
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
Detects:
|
|
336
|
-
|
|
337
|
-
* Secrets
|
|
338
|
-
* Credentials
|
|
339
|
-
* Security violations
|
|
340
|
-
* Dangerous files
|
|
341
|
-
|
|
342
|
-
Designed to stop mistakes before they reach Git history.
|
|
343
|
-
|
|
344
|
-
---
|
|
345
|
-
|
|
346
|
-
## Git Hook Installation
|
|
270
|
+
Run the CLI from source:
|
|
347
271
|
|
|
348
272
|
```bash
|
|
349
|
-
|
|
273
|
+
npm run dev -- --help
|
|
350
274
|
```
|
|
351
275
|
|
|
352
|
-
|
|
353
|
-
|
|
354
|
-
Allows security checks to run automatically before commits.
|
|
355
|
-
|
|
356
|
-
---
|
|
357
|
-
|
|
358
|
-
# Security Scorecards
|
|
276
|
+
Build and execute the compiled CLI:
|
|
359
277
|
|
|
360
278
|
```bash
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
|
|
364
|
-
Calculates a security score based on:
|
|
365
|
-
|
|
366
|
-
* Dependency Health
|
|
367
|
-
* Secret Hygiene
|
|
368
|
-
* Configuration Security
|
|
369
|
-
* Git Safety
|
|
370
|
-
|
|
371
|
-
Example:
|
|
372
|
-
|
|
373
|
-
```text
|
|
374
|
-
Dependency Health .... 91
|
|
375
|
-
Secret Hygiene ....... 84
|
|
376
|
-
Configuration ........ 88
|
|
377
|
-
Git Safety ........... 95
|
|
378
|
-
|
|
379
|
-
Overall Score ........ 89
|
|
380
|
-
Grade ................ A
|
|
279
|
+
npm run build
|
|
280
|
+
node dist/src/index.js --help
|
|
381
281
|
```
|
|
382
282
|
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
# Learning Mode
|
|
386
|
-
|
|
387
|
-
One of Toolip's signature features.
|
|
283
|
+
Verify the exact npm release candidate:
|
|
388
284
|
|
|
389
285
|
```bash
|
|
390
|
-
|
|
286
|
+
npm run release:check
|
|
391
287
|
```
|
|
392
288
|
|
|
393
|
-
|
|
394
|
-
|
|
395
|
-
Available topics include:
|
|
396
|
-
|
|
397
|
-
* CORS
|
|
398
|
-
* JWT
|
|
399
|
-
* XSS
|
|
400
|
-
* CSRF
|
|
401
|
-
* Authentication
|
|
402
|
-
* Authorization
|
|
403
|
-
* Secrets Management
|
|
404
|
-
* Dependency Security
|
|
405
|
-
|
|
406
|
-
Each lesson includes:
|
|
407
|
-
|
|
408
|
-
* Explanation
|
|
409
|
-
* Risks
|
|
410
|
-
* Common mistakes
|
|
411
|
-
* Secure examples
|
|
412
|
-
* Best practices
|
|
413
|
-
|
|
414
|
-
Designed for developers learning secure software engineering.
|
|
289
|
+
The release check performs type checking, tests, a clean production build, package verification, npm packing, isolated tarball installation, and packaged CLI execution.
|
|
415
290
|
|
|
416
|
-
|
|
291
|
+
## Release Safety
|
|
417
292
|
|
|
418
|
-
|
|
293
|
+
Toolip v1.0.6 exposed an important release-engineering failure: the published npm package did not contain the compiled CLI. Toolip now verifies releases from the packed artifact rather than assuming a successful local build means the package is valid.
|
|
419
294
|
|
|
420
|
-
|
|
295
|
+
A release is blocked unless the tarball contains:
|
|
421
296
|
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
toolip vault init
|
|
428
|
-
```
|
|
429
|
-
|
|
430
|
-
Creates an encrypted local vault.
|
|
431
|
-
|
|
432
|
-
---
|
|
433
|
-
|
|
434
|
-
## Store Secrets
|
|
435
|
-
|
|
436
|
-
```bash
|
|
437
|
-
toolip vault set DATABASE_URL
|
|
438
|
-
```
|
|
439
|
-
|
|
440
|
-
Stores secrets securely.
|
|
441
|
-
|
|
442
|
-
---
|
|
443
|
-
|
|
444
|
-
## Retrieve Secrets
|
|
445
|
-
|
|
446
|
-
```bash
|
|
447
|
-
toolip vault get DATABASE_URL
|
|
448
|
-
```
|
|
449
|
-
|
|
450
|
-
Returns decrypted values after authentication.
|
|
451
|
-
|
|
452
|
-
---
|
|
453
|
-
|
|
454
|
-
## List Secrets
|
|
455
|
-
|
|
456
|
-
```bash
|
|
457
|
-
toolip vault list
|
|
458
|
-
```
|
|
459
|
-
|
|
460
|
-
Displays secret names without revealing values.
|
|
461
|
-
|
|
462
|
-
---
|
|
463
|
-
|
|
464
|
-
## Delete Secrets
|
|
465
|
-
|
|
466
|
-
```bash
|
|
467
|
-
toolip vault delete DATABASE_URL
|
|
297
|
+
```text
|
|
298
|
+
package/package.json
|
|
299
|
+
package/README.md
|
|
300
|
+
package/LICENSE
|
|
301
|
+
package/dist/src/index.js
|
|
468
302
|
```
|
|
469
303
|
|
|
470
|
-
|
|
471
|
-
|
|
472
|
-
---
|
|
473
|
-
|
|
474
|
-
## Export Environment Variables
|
|
304
|
+
The packed CLI must also successfully run:
|
|
475
305
|
|
|
476
306
|
```bash
|
|
477
|
-
toolip
|
|
307
|
+
toolip --version
|
|
308
|
+
toolip self-test
|
|
309
|
+
toolip --help
|
|
478
310
|
```
|
|
479
311
|
|
|
480
|
-
|
|
481
|
-
|
|
482
|
-
* development
|
|
483
|
-
* staging
|
|
484
|
-
* production
|
|
485
|
-
|
|
486
|
-
---
|
|
487
|
-
|
|
488
|
-
## Vault Security Features
|
|
312
|
+
See [RELEASING.md](RELEASING.md) for the complete release policy.
|
|
489
313
|
|
|
490
|
-
|
|
491
|
-
* Password Protection
|
|
492
|
-
* Local Storage Only
|
|
493
|
-
* Offline Operation
|
|
314
|
+
## Security
|
|
494
315
|
|
|
495
|
-
|
|
316
|
+
Toolip handles sensitive source files and credentials. Findings redact evidence by default, and remote operations must be explicitly authorized.
|
|
496
317
|
|
|
497
|
-
|
|
318
|
+
Please report suspected Toolip vulnerabilities privately according to [SECURITY.md](SECURITY.md).
|
|
498
319
|
|
|
499
|
-
|
|
320
|
+
## Contributing
|
|
500
321
|
|
|
501
|
-
|
|
322
|
+
Contributions should include tests, clear tradeoffs, and accurate security claims. Analyzer changes require regression coverage and must use the shared finding contracts.
|
|
502
323
|
|
|
503
|
-
|
|
324
|
+
See [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
504
325
|
|
|
505
|
-
|
|
326
|
+
## Changelog
|
|
506
327
|
|
|
507
|
-
|
|
508
|
-
| ------------------- | ---------------------------------- |
|
|
509
|
-
| toolip profile | Fingerprint project technologies |
|
|
510
|
-
| toolip scan | Analyze dependencies |
|
|
511
|
-
| toolip doctor | Perform security audit |
|
|
512
|
-
| toolip score | Generate security scorecard |
|
|
513
|
-
| toolip inspect | Inspect package metadata |
|
|
514
|
-
| toolip compare | Compare packages |
|
|
515
|
-
| toolip alternatives | Suggest replacements |
|
|
516
|
-
| toolip licenses | Analyze licenses |
|
|
517
|
-
| toolip tree | Analyze dependency hierarchy |
|
|
518
|
-
| toolip git-audit | Audit Git hygiene |
|
|
519
|
-
| toolip pre-commit | Run pre-commit security checks |
|
|
520
|
-
| toolip hook install | Install Git hooks |
|
|
521
|
-
| toolip learn | Security education mode |
|
|
522
|
-
| toolip vault | Encrypted local secrets management |
|
|
328
|
+
Release history and unreleased changes are maintained in [CHANGELOG.md](CHANGELOG.md).
|
|
523
329
|
|
|
524
|
-
|
|
525
|
-
|
|
526
|
-
# Design Principles
|
|
527
|
-
|
|
528
|
-
Toolip follows several guiding principles:
|
|
529
|
-
|
|
530
|
-
* Developer First
|
|
531
|
-
* CLI First
|
|
532
|
-
* Security Education
|
|
533
|
-
* Local Development Friendly
|
|
534
|
-
* CI/CD Friendly
|
|
535
|
-
* Framework Agnostic
|
|
536
|
-
* Actionable Guidance
|
|
537
|
-
* Secure by Default
|
|
538
|
-
|
|
539
|
-
---
|
|
540
|
-
|
|
541
|
-
# Technology Stack
|
|
542
|
-
|
|
543
|
-
Built with:
|
|
544
|
-
|
|
545
|
-
* TypeScript
|
|
546
|
-
* Node.js
|
|
547
|
-
* Commander.js
|
|
548
|
-
* Vitest
|
|
549
|
-
* Chalk
|
|
550
|
-
* Ora
|
|
551
|
-
* Zod
|
|
552
|
-
* npm Registry APIs
|
|
553
|
-
* Git Integration
|
|
554
|
-
* Node Crypto APIs
|
|
555
|
-
|
|
556
|
-
---
|
|
557
|
-
|
|
558
|
-
# Use Cases
|
|
559
|
-
|
|
560
|
-
Toolip is useful for:
|
|
561
|
-
|
|
562
|
-
* Backend Engineers
|
|
563
|
-
* Platform Engineers
|
|
564
|
-
* DevOps Engineers
|
|
565
|
-
* Open Source Maintainers
|
|
566
|
-
* Startup Teams
|
|
567
|
-
* Full Stack Developers
|
|
568
|
-
* Students Learning Security
|
|
569
|
-
|
|
570
|
-
---
|
|
571
|
-
|
|
572
|
-
# Portfolio Positioning
|
|
573
|
-
|
|
574
|
-
Toolip demonstrates experience with:
|
|
575
|
-
|
|
576
|
-
* TypeScript Engineering
|
|
577
|
-
* CLI Development
|
|
578
|
-
* Security Engineering Concepts
|
|
579
|
-
* Supply Chain Security
|
|
580
|
-
* Secret Management
|
|
581
|
-
* Static Analysis
|
|
582
|
-
* Git Integration
|
|
583
|
-
* Risk Scoring Systems
|
|
584
|
-
* Developer Experience Design
|
|
585
|
-
* Secure Development Workflows
|
|
586
|
-
|
|
587
|
-
---
|
|
588
|
-
|
|
589
|
-
# Author
|
|
590
|
-
|
|
591
|
-
**Ashibuogwu Williams (wbizmo)**
|
|
330
|
+
## Author
|
|
592
331
|
|
|
593
332
|
GitHub: https://github.com/wbizmo
|
|
594
333
|
|
|
595
|
-
|
|
334
|
+
## License
|
|
335
|
+
|
|
336
|
+
Toolip is available under the MIT License.
|
|
596
337
|
|
|
597
|
-
|
|
338
|
+
## Vulnerability Intelligence
|
|
598
339
|
|
|
599
|
-
|
|
340
|
+
Toolip matches resolved npm dependencies against OSV.dev. See [docs/VULNERABILITY-INTELLIGENCE.md](docs/VULNERABILITY-INTELLIGENCE.md).
|