Example - Node JS Application Quick Scan

Let’s scan a vulnerable Node JS Express application: vulnerable-app-nodejs-express

First, clone the project:

git clone https://github.com/samoylenko/vulnerable-app-nodejs-express.git \
&& cd vulnerable-app-nodejs-express

Install dependencies:

npm install --package-lock

Run the scan:

docker run --rm -v ".:/src" scanproject/standalone

That’s it! After a minute or so, the report is ready!

more tsp-report.json

Or

jq <tsp-report.json

Count issues total:

jq '. | length' <tsp-report.json

Show all composition issues:

jq '.[] | select(.type == "COMPOSITION")' <tsp-report.json

Show all security vulnerabilities:

jq '.[] | select(.type == "SECURITY")' <tsp-report.json

Show all quality issues:

jq '.[] | select(.type == "QUALITY")' <tsp-report.json

Watch a recording of the entire process:

asciicast

Bonus: Juice Shop Scan recording

Same steps as above, just for the well-known vulnerable Node JS application: Juice-Shop

asciicast