Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CarlosEduJs/SCAL-P/llms.txt

Use this file to discover all available pages before exploring further.

scalp audit is a read-oriented integrity check. It does not install, modify, or remove anything. Instead, it walks your node_modules tree, recomputes SHA-512 hashes for each package directory, and compares them against the hashes recorded in .scalp/lockfile.json. Any package whose on-disk hash differs from the stored value — or that appears in one place but not the other — is reported as a violation.

Synopsis

scalp audit [--pm npm|pnpm] [--policy <file>] [--ci]

Flags

--pm
string
default:"npm"
Package manager whose dependency tree to read. Accepted values: npm, pnpm. SCAL-P uses the package manager’s tree output to enumerate installed packages before hashing.
--policy
string
default:".scalp/policy.json"
Path to the policy file. The policy controls on_violation enforcement and trust score settings. If the file is absent, SCAL-P logs a policy_missing event and proceeds in warn-only mode.
--ci
boolean
default:"false"
Override enforcement to block regardless of on_violation in your policy. Use this in pipelines where a hash mismatch must always fail the build.

What audit checks

scalp audit performs two categories of verification for each package in the dependency tree:
CategoryWhat it means
VerifiedThe package is installed and its SHA-512 hash matches the entry in .scalp/lockfile.json.
MismatchedThe package is installed but its hash differs from the lockfile entry. The package may have been tampered with or corrupted.
MissingThe package appears in the dependency tree but has no entry in the lockfile, or is listed in the lockfile but absent from node_modules.
If trust.min_score or trust.require_hash are configured in your policy, audit also evaluates each package’s trust score and appends any trust violations to the overall result.

How it works

1

Load lockfile

Reads .scalp/lockfile.json — the hash database written by the last scalp install or scalp ci run.
2

Get dependency tree

Asks the package manager for the full installed dependency tree.
3

Hash and compare

For each package in the tree, recomputes the SHA-512 hash of its directory and compares it against the lockfile entry.
4

Evaluate trust scores

If trust scoring is configured, runs the scorer against the installed packages and the lockfile, appending any score-based violations.
5

Log events

Writes all audit events (verified, mismatched, missing) to .scalp/audit.log in NDJSON format.
6

Enforce violations

If violations exist, applies on_violation from your policy (or block if --ci was passed). If none, logs audit ok and exits 0.

Examples

# Audit with default npm package manager
scalp audit

# Audit a pnpm project
scalp audit --pm pnpm

# Audit and block on any hash mismatch (CI usage)
scalp audit --ci

# Use a non-default policy file
scalp audit --policy .scalp/strict-policy.json --ci

Exit codes

CodeMeaning
0All packages verified — no mismatches or missing entries.
1One or more violations found and enforcement is set to block.

Files read and written

PathAccessDescription
.scalp/lockfile.jsonReadHash database to compare against on-disk state.
.scalp/audit.logAppendNDJSON audit events for every package verification result.
scalp audit requires .scalp/lockfile.json to exist. If you have not run scalp install or scalp ci yet, the command will fail with a lockfile-not-found error. Run scalp install first to generate the initial hash database.
Audit does not modify node_modules or .scalp/lockfile.json. It is safe to run at any point after install to confirm the integrity of your installed packages.

Build docs developers (and LLMs) love

Get started for freeTalk to us