1.7 KiB
1.7 KiB
Scanner Runtime Evidence (Node)
Purpose
Optional, air-gap-friendly runtime capture for Node workloads to enrich dependency graphs with observed imports/loads. Produces append-only NDJSON that the Node analyzer ingests as node:runtime-* records.
Capture hooks
- CJS:
runtime-hooks/runtime-require-hook.js- Usage:
SCANNER_NODE_RUNTIME_OUT=<out.ndjson> SCANNER_NODE_ROOT=<root> node -r ./runtime-require-hook.js app.js
- Usage:
- ESM:
runtime-hooks/runtime-esm-loader.mjs- Usage:
SCANNER_NODE_RUNTIME_OUT=<out.ndjson> SCANNER_NODE_ROOT=<root> node --experimental-loader=./runtime-esm-loader.mjs app.mjs
- Usage:
Output format (NDJSON)
Each line is a JSON object:
type:edge|componentfrom/to: module specifiers (scrubbed relative toSCANNER_NODE_ROOTwhen possible)reason: e.g.,runtime-import,runtime-require,runtime-loadloaderId: arbitrary string; hashed to SHA-256 during ingestionpath: component path forcomponentrecords
Ingestion rules
- File name defaults to
node-runtime-evidence.ndjsonin the scan root; override withSCANNER_NODE_RUNTIME_EVIDENCE. - Paths are scrubbed relative to the analyzer
rootPath; absolute paths outside root remain absolute. - Loader IDs are SHA-256 hashed before storage (
loaderId.sha256). - Evidence is tagged as
node:runtime-edgeornode:runtime-componentwith derived evidence from the reason/locators.
Determinism & safety
- Append-only writes; no network access.
- Stable hashing, stable ordering during ingestion (sorted by
componentKey). - Path scrubbing prevents leakage of host-specific prefixes when root-relative.
When to use
- Debugging dynamic imports/require resolutions.
- Environments with heavy plugin loading where static analysis is insufficient.