Runtime
Bundler
Package Manager
Test Runner
Guides
Reference
BlogInstall Bun
Package Manager Advanced Configuration

Security Scanner API

Bun's package manager can scan packages for security vulnerabilities before installation, helping protect your applications from supply chain attacks and known vulnerabilities.

Quick Start

Configure a security scanner in your bunfig.toml:

bunfig.toml
[install.security]
scanner = "@oven/bun-security-scanner" # example name, replace with your scanner's package

When configured, Bun will:

  • Scan all packages before installation
  • Display security warnings and advisories
  • Cancel installation if critical vulnerabilities are found
  • Automatically disable auto-install for security

How It Works

Security scanners analyze packages during bun install, bun add, and other package operations. They can detect:

  • Known security vulnerabilities (CVEs)
  • Malicious packages
  • License compliance issues
  • ...and more!

Security Levels

Scanners report issues at two severity levels:

  • fatal - Installation stops immediately, exits with non-zero code
  • warn - In interactive terminals, prompts to continue; in CI, exits immediately

Using Pre-built Scanners

Many security companies publish Bun security scanners as npm packages that you can install and use immediately.

Installing a Scanner

Install a security scanner from npm:

terminal
$ bun add -d @oven/bun-security-scanner

@oven/bun-security-scanner is an example package name, not a real package. Replace it with the scanner you want to use, and consult that scanner's documentation for the exact package name and installation instructions. Most scanners are installed with bun add.

Configuring the Scanner

After installation, configure it in your bunfig.toml:

bunfig.toml
[install.security]
scanner = "@oven/bun-security-scanner" # example name, replace with your scanner's package

Enterprise Configuration

Some enterprise scanners might support authentication and/or configuration through environment variables:

terminal
# This might go in ~/.bashrc, for example
$ export SECURITY_API_KEY="your-api-key"

# The scanner will now use these credentials automatically
$ bun install

Consult your security scanner's documentation to learn which environment variables to set and if any additional configuration is required.

Authoring your own scanner

For a complete example with tests and CI setup, see the official template: github.com/oven-sh/security-scanner-template

Overrides and resolutions

Control metadependency versions with npm overrides and Yarn resolutions

.npmrc support

Package Manager npmrc configuration

On this page

Quick Start
How It Works
Security Levels
Using Pre-built Scanners
Installing a Scanner
Configuring the Scanner
Enterprise Configuration
Authoring your own scanner
Related
Feedback