Find vulnerabilities, trace reachability, and audit open-source risk in your JavaScript project.
This repository is a Bomly example project for JavaScript with Yarn. Use it to try every Bomly feature — from basic SCA scans to vulnerability audits, reachability analysis, dependency tracing, and policy-driven CI gates.
| File | Role |
|---|---|
package.json |
Dependency manifest |
yarn.lock |
Dependency manifest |
Map your full dependency graph — direct and transitive:
bomly scan --url https://github.com/bomly-dev/example-javascript-yarnEnrich packages with CVE data and surface real findings:
bomly scan --url https://github.com/bomly-dev/example-javascript-yarn --enrich --auditCut alert noise: Bomly traces your call graph to prove which vulnerable code paths your app actually reaches at runtime.
bomly scan --url https://github.com/bomly-dev/example-javascript-yarn --enrich --reachabilityUnderstand every path that pulls express into your graph:
bomly explain express --url https://github.com/bomly-dev/example-javascript-yarnCompare dependency graphs across any two refs - commits, branches, or tags:
bomly diff \
--url https://github.com/bomly-dev/example-javascript-yarn \
--base v0.9.0 --head v1.0.0 \
--enrichFail your pipeline automatically when high-severity vulnerabilities are introduced:
# .github/workflows/bomly-guard.yml
name: Bomly Guard
on:
pull_request:
permissions:
contents: read
pull-requests: write
issues: write
security-events: write
jobs:
guard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0
# Add the package-manager setup steps this ecosystem needs before Bomly Guard.
- uses: bomly-dev/bomly-guard@v1
with:
fail-on: high
comment-summary-in-pr: alwaysMade with Bomly — open-source SCA for every ecosystem.