Lesson 4: Security Tooling — Scanners, Auditors, and Automated Defense
Introduction
In Lesson 3, we covered best practices. Now let's get hands-on with the tools that automate security. No single tool catches everything — the most effective approach combines reactive scanning (known CVEs) with proactive detection (behavioral analysis, malware detection).
This lesson covers the major tools available, what each catches (and misses), and how to combine them into an effective security workflow.
npm audit: The Built-In Baseline
Every npm installation comes with npm audit, making it the most accessible starting point.
Basic Usage
Understanding the Output
Each entry tells you:
- Package and affected versions: Which versions are vulnerable
- Severity: critical, high, moderate, low
- Vulnerability type: What the flaw is
- Advisory link: Full details and context
- Fix availability: Whether
npm audit fixcan resolve it
When npm audit Falls Short
npm audit checks against npm's advisory database. It cannot detect:
| Threat | npm audit | Why it misses |
|---|---|---|
| Newly published malicious packages | ❌ | Not in the advisory DB yet |
| Compromised legitimate packages (zero-day) | ❌ | Malicious code in a "valid" new version |
| Abandoned packages with no CVEs filed | ❌ | Nobody has reported the issue |
| Typosquatting packages | ❌ | They're new packages, not known vulnerabilities |
| Obfuscated or encoded payloads | ❌ | No behavioral analysis |
This is why npm audit is a baseline, not a complete solution.
npm audit signatures
A lesser-known but valuable command verifies the integrity of packages in your project:
This checks that packages have valid registry signatures and provenance attestations. If a package was tampered with after signing, this will flag it.
Snyk: Enterprise-Grade Vulnerability Management
Snyk is one of the most widely-used security platforms, offering a comprehensive vulnerability database and actionable fix guidance. What made Snyk pioneering was its developer-first philosophy.
As Liran Tal, Director of Developer Advocacy at Snyk, explains on the Señors @ Scale podcast:
"What Snyk did very pioneeringly was we not only scan and tell you that you can do a snyk test, like scan the dependencies. We actually tell you this is the version that you have to move into. If the next version that fixes Express is like a minor semver version or a patch, then we would actually propose to you the shortest path to upgrade. Because we know if you move from version 2 to version 3 of Express, that might fix the problem, but it's also probably breaking API changes. So we want to recommend the shortest path."
This "shortest upgrade path" approach is something to look for in any security tool — it's the difference between a report that says "you have a problem" and guidance that says "here's the safest fix."
Setup
What Snyk Catches
- Known CVEs across its own database (often broader than npm's)
- License compliance issues
- Container vulnerabilities
- Infrastructure as Code issues
Snyk in CI/CD
Snyk Strengths and Limitations
Strengths: Comprehensive database, excellent fix guidance, IDE integration (VS Code plugin), container scanning. Documented over 6,800 malicious packages since 2023.
Limitations: Can be noisy without reachability filtering. The free tier has limited scans per month. Primarily reactive — it detects known vulnerabilities, not novel malicious behavior.
Socket: Behavioral Analysis
Socket takes a fundamentally different approach. Instead of checking against a database of known vulnerabilities, it analyzes what packages actually do — looking for suspicious behaviors like network access, filesystem operations, obfuscation, and shell execution.
Why Behavioral Analysis Matters
When the September 2025 attack compromised chalk@5.6.1, there was no CVE filed. The package was a new version of a legitimate package. Traditional scanners saw nothing wrong. But Socket's behavioral analysis could detect that the package was suddenly making network requests and accessing browser crypto APIs — behaviors not present in previous versions.
Using Socket
Socket offers a CLI wrapper that intercepts npm install:
Socket also provides:
- A browser extension that shows security scores on npmjs.com
- PR integration that comments on pull requests when new dependencies have suspicious indicators
- An MCP plugin for AI coding environments
What Socket Catches That Others Miss
- Typosquatting attempts (packages with names similar to popular packages)
- Obfuscated or minified code in unexpected places
- Install scripts with network access or shell execution
- Packages that access environment variables (credential harvesting)
- Sudden behavioral changes between versions
deps.dev: Google's Free Vulnerability Aggregator
deps.dev (Open Source Insights by Google) aggregates vulnerability data from multiple sources — npm, GitHub Advisory Database, OSV, and others. Unlike npm audit which only checks npm's database, deps.dev provides cross-database coverage.
Key Advantages
- Free API with no authentication required
- Cross-database vulnerability aggregation
- Package metadata including release dates and dependency graphs
- Multiple ecosystem support (npm, PyPI, Maven, Go, Cargo)
API Endpoints
deps.dev vs npm audit
| Check | npm audit | deps.dev |
|---|---|---|
| Known CVEs in npm database | ✅ | ✅ |
| Cross-database vulnerabilities (GitHub, OSV) | ❌ | ✅ |
| Package age and freshness tracking | ❌ | ✅ |
| Maintenance status indicators | ❌ | ✅ |
| Multiple ecosystem support | ❌ | ✅ |
Aikido Security: Real-Time Install Protection
Aikido provides install-time protection with a focus on reducing alert noise through reachability analysis.
Key Features
- Safe Chain: Blocks malware at install time
- 24-hour cooldown option: Won't install packages published less than 24 hours ago
- Live malware feed: Over 6,000 malicious packages flagged
- Reachability analysis: 95% noise reduction by only flagging vulnerabilities that are actually reachable from your code
- Detected the xrpl package compromise in 45 minutes
Public Malware Intelligence Feed
Aikido maintains a publicly accessible malware intelligence feed at intel.aikido.dev, updated in near real-time when new malicious packages are detected. This is useful even if you don't use their paid product.
Semgrep Supply Chain: Code + Dependency Analysis
Semgrep combines static analysis (SAST) with software composition analysis (SCA), giving you a unified view of vulnerabilities in both your code and your dependencies.
Why Combine SAST and SCA?
Traditional SCA tools tell you "lodash has a prototype pollution vulnerability." Semgrep can additionally tell you "and your code at line 47 of utils.js calls the specific vulnerable function." This reachability analysis dramatically reduces false positives.
Custom Rules
Semgrep allows you to write custom detection rules. After the Shai-Hulud attack, the community quickly published Semgrep rules to detect the specific malicious patterns used.
Trivy: Open-Source Container and SBOM Scanning
Trivy is a comprehensive open-source security scanner that covers npm vulnerabilities along with container images, filesystem scanning, and license detection.
Trivy is excellent for teams that need scanning across multiple surfaces (npm, Docker, IaC) without paying for enterprise tools.
GitHub Dependabot: Automatic Update PRs
If you host on GitHub, Dependabot is free and provides:
- Automatic PRs when dependencies have known vulnerabilities
- Security alerts on your repository
- Version update PRs on a configurable schedule
Configuration
Create .github/dependabot.yml:
Limitations
Dependabot is reactive — it alerts on known CVEs. It doesn't perform behavioral analysis and won't catch novel malicious packages.
Choosing the Right Combination
Different teams need different tool stacks. Here's a practical guide:
Individual Developers
- npm audit as your baseline (free, built-in)
- Socket CLI for real-time behavioral analysis during installation
- GitHub Dependabot for automated vulnerability PRs
Small Teams
- Everything above, plus:
- Snyk free tier for broader vulnerability coverage
- Verdaccio as a caching proxy
- Custom scanning script using deps.dev (we'll build this in Lesson 5)
Enterprise Teams
- Everything above, plus:
- Sonatype Repository Firewall or JFrog Xray for proactive blocking
- Aikido Safe Chain with cooldown periods
- Semgrep Supply Chain for reachability analysis
- SBOM generation for complete dependency visibility
Building an Automated Security Workflow
Here's how to combine tools into a practical CI/CD workflow:
GitHub Actions Workflow
SBOMs: Your Dependency Inventory
A Software Bill of Materials (SBOM) is a complete inventory of all components in your application. When a new vulnerability is discovered, an SBOM lets you instantly check if you're affected.
Generating an SBOM
Using Your SBOM
When the September 2025 attack hit, teams with SBOMs could immediately check whether any of the 19 compromised packages existed in their dependency tree. Teams without SBOMs had to manually audit every project.
Key Takeaways
- npm audit is necessary but insufficient — it only catches known, reported vulnerabilities.
- Behavioral analysis tools (Socket, Aikido) catch novel malicious code that CVE-based tools miss.
- deps.dev provides free, cross-database vulnerability data that goes beyond npm's advisory database.
- Combine tools for coverage: reactive scanning + behavioral analysis + SBOM visibility.
- Automate everything — manual security reviews don't scale. Daily automated scanning catches issues while they're still manageable.
- Generate and maintain SBOMs so you can respond quickly when new vulnerabilities are disclosed.
What's Next
In Lesson 5, we'll build our own npm vulnerability scanner from scratch using the deps.dev API. You'll create a tool that goes beyond npm audit, checking for vulnerabilities across multiple databases, tracking dependency freshness, and generating reports you can integrate into your CI/CD pipeline.