NCM-CLI
The command-line tool for NodeSource Certified Modules 2.0 β designed to make code quality, security, and compliance a breeze. Generate a custom project report, fetch compliance and security information, manage organizational whitelists, and inspect specific packages in greater detail β all from the command-line.
Additional NodeSource Certified Modules v2 information is available on the NodeSource documentation site.
Installation
$ npm install -g ncm-cli
Usage
$ ncm <command> [options]
$ ncm help <command>
Authentication
ncm-cli
supports three forms of authentication (required).
1. NodeSource Account:
Sign-in interactively using your NodeSource account email and password.
$ ncm signin
2. Single Sign-on
- Using a Google account:
ncm signin -G, --google
- Using a GitHub account:
ncm signin -g, --github
3. Environment Variable (CI/CD)
$ NCM_TOKEN=<token> ncm <command> [options]
Learn more about obtaining NodeSource service tokens and configuring permissions here.
ncm report
Generates a project-wide report of directory risk and quality of installed or specified packages. The top five riskiest modules detected will be displayed alongside a concise project report.
The directory to generate a report from may be specified via ncm report <dir>
.
Defaults to using the current working directory.
$ ncm report
ββββββββββββββ
β foo Report β
ββββββββββββββ
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
|β Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
|β Run `ncm report --filter=compliance` for a list
! 1 used modules whitelisted
|β Run `ncm whitelist --list` for a list
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Top 5: Highest Risk Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
ββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββ
β mime @ 1.3.4 β |||| Crit β β MIT β X 1L β
β superagent @ 1.8.5 β |||| Crit β β MIT β X 1M 1L β
β form-data @ 1.0.0-rc3 β |||| High β β MIT β β 0 β
β formidable @ 1.0.16 β |||| High β X UNKNOWN β β 0 β
β mime @ 1.2.11 β |||| High β X UNKNOWN β X 1L β
ββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββ
Full Reports
A report with a list of all modules can be generated by passing --long, -l
.
$ ncm report --long
ββββββββββββββ
β foo Report β
ββββββββββββββ
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
|β Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
|β Run `ncm report --filter=compliance` for a list
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
ββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββ
β qs @ 6.3.1 β |||| Crit β β BSD-3-Clause β X 1H β
ββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Non-whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
ββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββ
β mime @ 1.3.4 β |||| Crit β β MIT β X 1L β
β superagent @ 1.8.5 β |||| Crit β β MIT β X 1M 1L β
β form-data @ 1.0.0-rc3 β |||| High β β MIT β β 0 β
β formidable @ 1.0.16 β |||| High β X UNKNOWN β β 0 β
β mime @ 1.2.11 β |||| High β X UNKNOWN β X 1L β
β qs @ 2.3.3 β |||| High β β BSD-2-Clause β X 1H β
... etc ...
β mime-types @ 2.1.22 β |||| None β β MIT β β 0 β
ββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββ
Filters
Reports may be filtered based on any of the following flags:
-
--compliance, -c
- only display non-compliant packages. -
--security, -s
- only display packages with vulnerabilities.
Options
-
--json, -j
- Formats the report in JSON (disabled by default)
ncm details <module{@version}>
Returns a detailed report about a specific module version.
Defaults to using the latest
version as published to npm if no version
is provided.
$ ncm details client-request@2.3.0
βββββββββββββββββββββββββββββββββββββββββββ
β client-request @ 2.3.0 (within ncm-cli) β
βββββββββββββββββββββββββββββββββββββββββββ
ββββββββ¬ββββββββββββ
β |||| β None Risk β
ββββββββ΄ββββββββββββ
Security Risk:
β 0 security vulnerabilities found
C 0 critical severity
H 0 high severity
M 0 medium severity
L 0 low severity
βββββ¬ββββββββββββββββββββββββββββββ
β β β No Security Vulnerabilities β
βββββ΄ββββββββββββββββββββββββββββββ
License Risk:
βββββ¬ββββββ
β β β MIT β
βββββ΄ββββββ
Module Risk:
βββββ¬βββββββββββββββββ
β β β No Module Risk β
βββββ΄βββββββββββββββββ
Code Quality (does not affect risk score):
βββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ! β This package version's size on disk is 40.0 kB. β
βββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Required By (leftmost is directly in your package):
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β (Directly in your package) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ncm install <module{@version}>
Runs and displays ncm details <module{@version}>
with an interactive confirmation prompt.
If confirmed, attempts to run npm install <module{@version}>
with any additional options provided.
The config keys installBin
and installCmd
can adjust this to work with other package installers if necessary.
For more information, see ncm config --help
.
ncm whitelist
Display or modify your NodeSource organizationβs module whitelist.
ncm whitelist --list
Returns a list containing each module in your NodeSource organizationβs whitelist. Public modules are listed alongside their risk score, license compliance, and security summary.
$ ncm whitelist --list
ββββββββββββββββββββββββββββββββ
β personal Whitelisted Modules β
ββββββββββββββββββββββββββββββββ
2 modules total
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
ββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββ
β express @ 4.0.0 β |||| None β β MIT β X 1M β
β qs @ 6.3.1 β |||| None β β BSD-3-Clause β X 1H β
ββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββ
ncm whitelist --add <module@version>
Add one or more modules to your NodeSource organizationβs whitelist.
ncm whitelist --remove <module@version>
Remove one or more modules from your NodeSource organizationβs whitelist.
ncm orgs
Change your active NodeSource organization, which impacts the whitelist. Defaults to an interactive prompt.
By passing an <orgname>
, the interactive part may be skipped.
Input is case sensitive.
ncm config
Access to various configuration settings.
For more information, use the help command: ncm config --help
License & Copyright
Copyright 2019 NodeSource β Contributions via DCO 1.1
Licensed under the Apache License, Version 2.0 β see the LICENSE file for details.