Node Security helps you keep your node applications secure.
Note: nsp is deprecated and no longer works on Inspecode. Please use npm-audit instead.
Patterns to include in execution and reports.
Patterns to exclude from execution and reports.
Amount of CPU. The default machine has
0.25 CPU with
960 MiB RAM.
Below is the list of options that are supported:
--offline: optional when network is unavailable you can use this (but it won't have as many results as the online version) --advisoriesPath: optional when using --offline mode use this option to specify a path to the advisories.json file
In addition to general severity levels, the following tool specific severity levels can be specified:
None(equivalent to general severity level
Medium(equivalent to general severity level
Low(equivalent to general severity level
Nonelevel is shown in reports only when running
Note: The incremental analysis cannot be supported for nsp. This is because nsp checks external dependencies (npm packages) and the results on unchanged files (package.json or npm-shrinkwrap.json) can be affected by the dependencies.
With default options:
inspecode: nsp: default
With custom machine:
inspecode: nsp: machine: cpu: 1.5 # 1.5 CPU, 5760 MiB RAM
With custom options:
inspecode: nsp: options: --offline: --advisoriesPath: ./path/to/advisories.json
If there are multiple Node.js projects (
package.json files) in single repository, Inspecode detects them and then runs
nsp for each project.
Note: As of now, Inspecode uses the same configuration when running
nspevery time regardless of where it runs on in a job. So if this does not suit you and you want to run
nspwith different configuration on each Node.js project, use
defaultbuilt-in configuration and place configuration files (
.nsprc) at the root of each project.