diff --git a/README.md b/README.md index cfd9ff4..9e4d2e0 100644 --- a/README.md +++ b/README.md @@ -25,9 +25,9 @@ - - - + + +

🆓

Free to use
No account, no subscription,
no cloud required

🏠

Runs locally
Scans your lockfile on your machine.
Nothing leaves your environment

Fast
Results in seconds. Local cache keeps
rescans near-instant

🏆

OWASP Incubator Project
Peer-reviewed by the org behind the OWASP Top 10 —
the security standard followed by millions of developers

🎯

Remediation-first
Validated fix commands + parent-aware
transitive guidance — not just CVE IDs

🔒

Runs locally
Nothing leaves your machine — not your
code, not your dependency tree
@@ -160,6 +160,8 @@ For full CI patterns including offline workflows, git hooks, and scripted automa ## How it compares +No other free tool combines all of the following: lockfile scanning across npm, pnpm, Yarn, and Bun; parent-aware transitive remediation that tells you which package to upgrade (not just which one is vulnerable); fix version validation before suggesting an upgrade; and a fully offline advisory DB for restricted environments. + | Capability | CVE Lite CLI | npm audit | OSV-Scanner | Snyk CLI | Socket CLI | |---|:---:|:---:|:---:|:---:|:---:| | JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ | @@ -194,7 +196,9 @@ If you maintain an open-source JavaScript or TypeScript project and want CVE Lit ## Recognized by OWASP -CVE Lite CLI is an [OWASP Incubator Project](https://owasp.org/cve-lite-cli), peer-reviewed and maintained under the Open Web Application Security Project Foundation. Being part of OWASP means: +OWASP (Open Web Application Security Project) is the globally recognized nonprofit behind the security standards followed by millions of developers worldwide — most notably the [OWASP Top 10](https://owasp.org/www-project-top-ten/), the most widely cited web application security reference in the industry. Organizations from startups to Fortune 500 companies use OWASP guidelines as the foundation of their security programs. + +CVE Lite CLI is an [OWASP Incubator Project](https://owasp.org/cve-lite-cli) — reviewed and accepted by the OWASP community as a vendor-neutral, open source security tool. Being part of OWASP means: - **Peer-reviewed** by security professionals - **Community-driven** development and governance @@ -365,12 +369,14 @@ See the [Offline Advisory DB guide](https://owasp.org/cve-lite-cli/docs/offline- ## Who uses it -CVE Lite CLI is a good fit for: +CVE Lite CLI is the only free, OWASP-recognized vulnerability scanner purpose-built for JavaScript and TypeScript that combines validated fix commands, parent-aware transitive remediation, and offline scanning in a single lightweight CLI. + +It is a good fit for: -- **Independent developers and OSS maintainers** — quick pre-release check without any platform overhead -- **Startups and small teams** — lightweight CI gate at no cost -- **Consultants** — run a scan on a client project in seconds, with a clear fix plan to hand over -- **Enterprise teams with restricted networks** — offline advisory DB workflow removes the need for runtime outbound calls during scans +- **Independent developers and OSS maintainers** — quick pre-release check without any platform overhead or cost +- **Startups and small teams** — lightweight CI gate at no cost, with fix commands ready to run immediately +- **Consultants** — scan a client project in seconds and hand over a concrete, copy-and-run remediation plan +- **Enterprise teams with restricted networks** — offline advisory DB removes the need for runtime outbound calls during scans - **Teams running npm, pnpm, Yarn, and Bun** — unified scanning across all four package managers in one tool See the [CI and Workflow Integration guide](https://owasp.org/cve-lite-cli/docs/ci-integration) for concrete patterns across these scenarios.