Sandworm
Search…
⌃K
Links

Sandworm Guard

Easy auditing & sandboxing for your JavaScript dependencies 🪱

Summary

  • Sandworm Guard intercepts all potentially harmful Node & browser APIs, like arbitrary code execution (child_process.exec) or network calls (fetch). It knows what packages are responsible for each call.
  • Simple obfuscation techniques can confuse static analysis tools, but Sandworm's dynamic analysis will always intercept risky calls at run time.
  • You can use Sandworm Guard to:
    • audit your dependencies, monitor activity and permissions, and see what your code is doing under the hood using the Inspector;
    • generate a security profile automatically from your test suite and do snapshot testing against it;
    • secure your app against supply chain attacks by enforcing per-module permissions.
  • Install it as an npm module in your existing Node or browser app.
  • Works in Node v15+ and modern browsers. Beta support for browsers and sourcemaps.

Get involved

The permission database project

A longer-term goal for Sandworm is to provide an open, public database of per-package permission requirements, based on:
  • running automated tests with Sandworm enabled for public packages;
  • anonymous info about requirements collected from real-world apps by the inspector.
For every method call that Sandworm intercepts, the inspector will share the following info:
{
"module": "CALLER_MODULE_NAME",
"family": "INVOKED_METHOD_FAMILY",
"method": "INVOKED_METHOD_NAME",
"sessionId": "INSPECTOR_SESSION_ID"
}
This will make it easier for everyone to audit packages and set up Sandworm. To opt out of sharing data with the community, run the inspector with the --no-telemetry option. You can also audit what's getting sent and the server code.

How Sandworm is tested

Sandworm has several layers of automated testing:
  • Jest is used to run Node.js capture & enforce tests for all supported Node APIs (tests run on Node 16.10 and above). See the tests/node directory.
  • Playwright is used to run browser capture & enforce tests for all supported browser APIs (tests run on WebKit, Chromium, and Firefox). See the tests/web directory.
  • Jest is used to run unit tests on the core Sandworm source files. See the tests/unit directory.
Check out our latest test run inside our CircleCI pipeline.
Last modified 6d ago