Sandworm Guard

Easy auditing & sandboxing for your JavaScript dependencies 🪱


  • Sandworm Guard intercepts all potentially harmful Node & browser APIs, like arbitrary code execution (child_process.exec) or network calls (fetch). It knows what packages are responsible for each call.

  • Simple obfuscation techniques can confuse static analysis tools, but Sandworm's dynamic analysis will always intercept risky calls at run time.

  • You can use Sandworm Guard to:

    • audit your dependencies, monitor activity and permissions, and see what your code is doing under the hood using the Inspector;

    • generate a security profile automatically from your test suite and do snapshot testing against it;

    • secure your app against supply chain attacks by enforcing per-module permissions.

  • Install it as an npm module in your existing Node or browser app.

  • Works in Node v15+ and modern browsers. Beta support for browsers and sourcemaps.

Get involved

The permission database project

A longer-term goal for Sandworm is to provide an open, public database of per-package permission requirements, based on:

  • running automated tests with Sandworm enabled for public packages;

  • anonymous info about requirements collected from real-world apps by the inspector.

For every method call that Sandworm intercepts, the inspector will share the following info:

  "module": "CALLER_MODULE_NAME",
  "method": "INVOKED_METHOD_NAME",

This will make it easier for everyone to audit packages and set up Sandworm. To opt out of sharing data with the community, run the inspector with the --no-telemetry option. You can also audit what's getting sent and the server code.

How Sandworm is tested

Sandworm has several layers of automated testing:

  • Jest is used to run Node.js capture & enforce tests for all supported Node APIs (tests run on Node 16.10 and above). See the tests/node directory.

  • Playwright is used to run browser capture & enforce tests for all supported browser APIs (tests run on WebKit, Chromium, and Firefox). See the tests/web directory.

  • Jest is used to run unit tests on the core Sandworm source files. See the tests/unit directory.

Check out our latest test run inside our CircleCI pipeline.

Last updated