What is Sandworm?
Sandworm performs static and dynamic analysis of millions of code packages to identify security vulnerabilities and license compliance issues within software supply chains. The platform generates detailed audit reports that cover security vulnerabilities, license permissions, metadata issues, and dependency visualization.
The tool supports multiple package managers including npm, Yarn, pnpm, and Composer, with plans to expand to CycloneDX, pip, and maven. It outputs JSON issue reports, license usage data, CSV dependency information, and provides visualizations of dependency trees and treemaps for enhanced analysis.
Features
- Security Vulnerability Scanning: CVE scan for entire dependency tree to identify security risks
- License Compliance Analysis: Set granular license permissions and perform OSI & SPDX compliance checks
- Dependency Visualization: Generate easy-to-read dependency tree and treemap visualizations
- Multiple Package Manager Support: Works with npm, Yarn, pnpm, and Composer
- Report Generation: Outputs JSON issue reports, license usage data, and CSV dependency information
Use Cases
- Auditing JavaScript dependencies for security vulnerabilities
- Checking PHP project dependencies for license compliance
- Monitoring GitHub repositories for dependency issues
- Generating compliance reports for software supply chains
- Visualizing dependency trees for complex applications
FAQs
-
What package managers does Sandworm support?
Sandworm currently supports npm, Yarn, pnpm, and Composer, with plans to add support for CycloneDX, pip, and maven in the future. -
What types of issues does Sandworm detect?
Sandworm detects security vulnerabilities, license compliance issues, metadata problems, deprecated packages, install scripts, and repository checks. -
How does Sandworm generate reports?
Sandworm outputs JSON issue reports, license usage data, CSV dependency information, and provides dependency tree and treemap visualizations. -
What is included in the free tier?
The free tier includes one monthly security and license audit report per repository (limited to main branch), CVE scanning, license compliance checks, metadata issue detection, and visualizations with community support.
