Skip to content

bomly-dev/example-javascript-yarn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

example-javascript-yarn

Find vulnerabilities, trace reachability, and audit open-source risk in your JavaScript project.

About

This repository is a Bomly example project for JavaScript with Yarn. Use it to try every Bomly feature — from basic SCA scans to vulnerability audits, reachability analysis, dependency tracing, and policy-driven CI gates.

Dependency manifests

File Role
package.json Dependency manifest
yarn.lock Dependency manifest

Try it with Bomly

1. Discover all dependencies

Map your full dependency graph — direct and transitive:

bomly scan --url https://github.com/bomly-dev/example-javascript-yarn

2. Find vulnerabilities

Enrich packages with CVE data and surface real findings:

bomly scan --url https://github.com/bomly-dev/example-javascript-yarn --enrich --audit

3. Confirm reachability

Cut alert noise: Bomly traces your call graph to prove which vulnerable code paths your app actually reaches at runtime.

bomly scan --url https://github.com/bomly-dev/example-javascript-yarn --enrich --reachability

4. Trace why a dependency exists

Understand every path that pulls express into your graph:

bomly explain express --url https://github.com/bomly-dev/example-javascript-yarn

5. See what changed between releases

Compare dependency graphs across any two refs - commits, branches, or tags:

bomly diff \
  --url https://github.com/bomly-dev/example-javascript-yarn \
  --base v0.9.0 --head v1.0.0 \
  --enrich

6. Add a security gate to CI

Fail your pipeline automatically when high-severity vulnerabilities are introduced:

# .github/workflows/bomly-guard.yml
name: Bomly Guard
on:
  pull_request:

permissions:
  contents: read
  pull-requests: write
  issues: write
  security-events: write

jobs:
  guard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
      # Add the package-manager setup steps this ecosystem needs before Bomly Guard.
      - uses: bomly-dev/bomly-guard@v1
        with:
          fail-on: high
          comment-summary-in-pr: always

Made with Bomly — open-source SCA for every ecosystem.

About

Bomly QA test repo

Resources

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors