First off, thank you for considering contributing to Sandworm.

Following these guidelines helps to communicate that you respect the time of the developers managing and developing this open source project. In return, they should reciprocate that respect in addressing your issue, assessing changes, and helping you finalize your pull requests.

Sandworm is an open source project and we love to receive contributions from our community. There are many ways to contribute, from writing tutorials or blog posts, improving the documentation, submitting bug reports and feature requests or writing code which can be incorporated into Sandworm itself.

How to report a bug

If you find a security issue or a vulnerability in Sandworm, please do NOT open an issue. See instead.

When filing an issue with our GitHub issue tracker, make sure to answer these five questions:

  • What version of Sandworm are you using?

  • What Node version or browser version are you using?

  • What did you do?

  • What did you expect to see?

  • What did you see instead?

Please add the bug label to all bug-reporting issues.

How to suggest a feature or enhancement

If you find yourself wishing for a feature that doesn't exist in Sandworm, you are probably not alone. Please create a new discussion here which describes the feature you would like to see, why you need it, and how it should work.

Ground Rules

Contributor responsibilities:

  • Ensure cross-platform compatibility for every change you make (Node 10+ & all recent major browsers).

  • Create issues for any major changes and enhancements that you wish to make. Discuss things transparently and get community feedback.

  • Keep feature versions as small as possible, preferably one new feature per version.

  • Be welcoming to newcomers and encourage diverse new contributors from all backgrounds. See the Sandworm Community Code of Conduct.


To contribute on an issue:

  • Create your own fork of the code.

  • Run yarn build to build the Sandworm lib. Run yarn dev to watch the source files and rebuild automatically.

  • Do the changes in your fork.

  • See writing tests below.

  • Be sure you have followed the code style for the project:

    • We use a slightly modified version of the Airbnb JavaScript Style Guide for all the core code, and react-app for the Inspector React app.

    • We use Prettier for formatting (see .prettierrc).

    • Everything's enforced via ESLint - run yarn lint to lint everything.

  • Commits should follow the Conventional Commits specification.

  • Send a pull request!

    • Working on your first Pull Request? You can learn how from this free series, How to Contribute to an Open Source Project on GitHub.

    • If a maintainer asks you to "rebase" your PR, they're saying that a lot of code has changed, and that you need to update your branch so it's easier to merge.

Project structure

Directory / FileDescription


The Inspector CLI tool sources


The Inspector server


The Inspector React app


Built lib lives here


Various utility scripts


Sandworm core code


Definitions for all supported methods


Automated tests

Writing tests

Sandworm has several types of test automation you need to consider:

Node capture & enforce tests

  • Located under tests/node

  • Run with Jest

  • Update these if you've added or modified any supported Node functions (under src/library/node.js)

  • Each supported function should ideally have two associated test files:

    • function.capture.test.js, where we test that the function is intercepted by Sandworm, is allowed, and works in dev mode

    • function.enforce.test.js, where, with devMode=false we test that:

      • a function call throws without the proper permissions

      • a function call is allowed and works with the proper permissions

  • These run against the built Sandworm lib, so run yarn build or yarn dev to automatically rebuild when updating sources

  • In the CI, these will execute under multiple Node versions, starting with 10.14

  • Run the suites with yarn test-node-capture, yarn test-node-enforce, or both with yarn test-node-ce

Web capture & enforce tests

  • Located under tests/web

  • Run with Playwright

  • Update these if you've added or modified any supported web functions (under src/library/web.js)

  • Notes above on Node tests also apply here

  • Run the suites with yarn test-web

Unit tests

  • Located under tests/unit

  • Run with Jest

  • Update these if you've made changes to the Sandworm core (under src)

  • When fixing a bug, please provide at least one test that would fail without the proposed fix, but passes with it applied

  • When adding a feature, please provide at least one test for each significant new functionality introduced

  • Run with yarn test-node-unit

To run all tests in a single go, use yarn test-all.

Running the inspector

  • cd to cli/frontend, and:

    • yarn install

    • yarn watch to rebuild the app automatically

  • cd to cli and run ./index.js

  • The server script also serves the built React app. You'll need to manually refresh the browser to get updates whenever you make changes.


This Contributing document is adapted from the Contributing Guides Template.

Last updated