Sandworm
HomepageGitHub
  • Sandworm Audit
    • Getting Started
    • How It Works
    • Configuration
    • Issue Types
    • Resolved Issues
    • License Policies
    • Fail Policies
    • Custom Registries
    • Chart Info
  • Sandworm Guard
    • Overview
    • Getting Started
    • Supported Methods
    • Enforcing Permissions
    • Describing Permissions
    • Caller Module Paths
    • Configuration
    • Bundlers & Sourcemaps
  • Snapshot Testing
  • Contributing
    • Code of Conduct
    • Security Policy
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Sandworm Guard

Overview

PreviousSandworm GuardNextGetting Started

Last updated 2 years ago

Was this helpful?

Sandworm Guard is a sandboxing & malware detection tool for npm packages. Rather than relying on CVE advisories, Sandworm watches lower-level APIs like the Node VM and browser APIs like DOM manipulation, fetch, etc., and throws when a package unexpectedly accesses these APIs. While this won't protect against all classes of vulnerabilities, it assures that your project is safe from hand-crafted, zero-day vulnerabilities that leave your data open to attack until a CVE is issued and a fix is published.

Most tools in this space currently use static analysis to scan a package's source and infer potential threats by looking at code patterns, invoked methods, or loaded modules. However, it's generally simple to trick such analysis tools using . Static analysis is, therefore, not a definitive security solution and should be used in tandem with dynamic tools like Sandworm.

Sandworm Guard does dynamic analysis in the runtime - it knows about what happens when it happens:

  • It can't let you know about possible vulnerabilities before it sees the code run;

  • It also can't capture information about "dormant" code that doesn't get executed;

  • No obfuscation or workaround can fool our interceptors, though: as soon as any code segment attempts to invoke a sensitive method, Sandworm will capture that call and be able to allow or deny access.

various obfuscation techniques