Configuration
Sandworm reads configurations from a local
.sandworm.config.json
file in the root directory of the app being audited. Here is an example file that includes all of the available configuration fields:.sandworm.config.json
1
{
2
"audit": {
3
"includeDev": false,
4
"showVersions": false,
5
"maxDepth": 10,
6
"minDisplayedSeverity": "high",
7
"licensePolicy": {
8
"high": ["cat:Network Protective", "cat:Strongly Protective"],
9
"moderate": ["cat:Weakly Protective"]
10
},
11
"loadDataFrom": "registry",
12
"outputPath": "sandworm",
13
"failOn": ["*.critical"]
14
}
15
}
Note that all configs need to go under the
audit
root key, and not directly in the root of the json file.Option | Default | Description |
---|---|---|
includeDev | false | Also include dev dependencies in the audit. Note that this might make audits take noticeably longer, as a lot more dependency data needs to be retrieved from the registry. |
showVersions | false | Should tree and treemap chart node titles also include the represented package version. Version info is also available by hovering the node. |
maxDepth | 7 | The maximum depth to represent in tree and treemap charts. Useful for large projects with deep dependency graphs. |
minDisplayedSeverity | high | The minimum severity level for issues to be displayed in the tree and treemap charts. |
licensePolicy | - | |
loadDataFrom | registry | One of registry (get package info from the registry API) or disk (get package info from disk, from the node_modules directory). Setting this to disk can improve & bring predictability to the audit duration for large projects, but note that not all supported package information is locally available. When setting this to disk , make sure that your dependencies are installed. |
outputPath | sandworm | The output path for the audit artifact files. |
failOn | - | |
skipLicenseIssues | false | Skip scanning for license issues |
skipMetaIssues | false | Skip scanning for meta issues |
skipTree | false | Don't output the dependency tree chart |
forceBuildLargeTrees | false | Force build large dependency tree charts |
skipTreemap | false | Don't output the dependency treemap chart |
skipCsv | false | Don't output the dependencies csv file |
skipReport | false | Don't output the JSON report |
skipAll | false | Don't output any file |
showTips | true | Show Sandworm tips while building the dependency graph |
Last modified 30d ago