Skip to content
/ csp-evaluator-cli Public

A command line tool to validate Content-Security-Policy rules

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

einride/csp-evaluator-cli

BranchesTags

Repository files navigation

csp-evaluator-cli

A command line tool that wraps csp-evaluator.

Installation

$ npm install -g @einride/csp-evaluator-cli

Usage

CLI interface strives to mimic CSP Evaluator online tool. It takes Content Security Policy as a string, and outputs findings based on that into stdout.

Output format

There are three supported output formats:

  1. human (default)

Mimics CSP Evaluator online tool output.

> csp validate "script-src https://google.com"
! Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
script-src:
   ? https://google.com: No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
  1. json

JSON is passed as is from csp-evaluator output.

> csp validate --output-format=json "script-src https://google.com"
[{"type":300,"description":"Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?","severity":10,"directive":"object-src"},{"type":305,"description":"No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.","severity":50,"directive":"script-src","value":"https://google.com"}]
  1. json-pretty

Same as json, but with indentations.

> csp validate --output-format=json-pretty "script-src https://google.com"
[
    {
        "type": 300,
        "description": "Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?",
        "severity": 10,
        "directive": "object-src"
    },
    {
        "type": 305,
        "description": "No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.",
        "severity": 50,
        "directive": "script-src",
        "value": "https://google.com"
    }
]

Exit codes

Exit code is always 0, except for a case when a policy contains syntax errors.

> csp validate "script https://google.com"
! Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
! script-src directive is missing.
x Directive "script" is not a known CSP directive.
> $?
> 1

Input

  1. As an argument
> csp validate "script-src https://google.com"
  1. From stdin
> echo "script-src https://google.com" | csp validate -
  1. From a file
> echo "script-src https://google.com" > policy.txt
> csp validate policy.txt

Contribute

See Contributing Guide.

Security Policy

See Security Policy.

License

MIT

About

A command line tool to validate Content-Security-Policy rules

Topics

cli content-security-policy einride

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Sep 4, 2024

Packages

No packages published

Contributors 5

Languages