lockwarden scan
Execution-surface scan of an artifact: tarball, zip, directory, or docker-save image.
Synopsis
Section titled “Synopsis”npx lockwarden scan <artifact-path>npx lockwarden scan --image <docker-image>scan applies the same Layer-1 execution-surface analysis and Layer-2 known-bad matching
as audit — but to what is actually on disk inside an artifact,
not what a manifest claims. This catches the vector no registry-level scanner ever sees:
tampered dependencies shipped pre-baked inside vendored node_modules (as one variant of
the March 2026 Axios incident did).
Arguments & flags
Section titled “Arguments & flags”| Meaning | |
|---|---|
artifact | Path to a tarball, zip, or directory artifact |
--image <docker-image> | Scan a docker image (extracted via docker save — no daemon API dependency) |
--verbose | Include Low findings in SARIF output |
All global flags apply.
Examples
Section titled “Examples”# The release tarball you are about to publishnpx lockwarden scan ./myapp-1.2.0.tgz
# A vendored directorynpx lockwarden scan ./vendor/
# The image you are about to deploy — scans node_modules in the layersnpx lockwarden scan --image myapp:latest
# CI pre-deploy gatenpx lockwarden scan --image myapp:latest --ci --sarifExit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 | No findings at or above --threshold |
1 | Findings at or above --threshold |
2 | Execution error — artifact not found or unreadable, docker save failed |
scanperforms no network calls.--offlineis always satisfiable here.- Docker scanning parses the
docker savetarball layer by layer; it does not talk to a Docker daemon API. - Findings map to SARIF exactly as in
audit— Critical→error, High→warning, Med→note, Low suppressed unless--verbose.