Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CarlosEduJs/SCAL-P/llms.txt

Use this file to discover all available pages before exploring further.

scalp policy check is a dry-run policy evaluation. It resolves your project’s dependencies from the lockfile, evaluates every package against your allow/deny rules and trust score settings, and reports any violations — without installing, modifying node_modules, or writing to .scalp/lockfile.json. Use it to validate a policy change, preview the impact of a new dependency, or confirm that your current lockfile would pass enforcement before committing.

Synopsis

scalp policy check [--policy <file>] [--pm npm|pnpm] [--ci]

Flags

--policy
string
default:".scalp/policy.json"
Path to the policy file to evaluate. If the file does not exist, SCAL-P logs a warning and evaluates with default permissive settings — nothing is blocked.
--pm
string
default:"npm"
Package manager to use for dependency resolution and lockfile parsing. Accepted values: npm, pnpm.
--ci
boolean
default:"false"
Override enforcement to block regardless of on_violation in your policy. Use this to ensure a non-zero exit code on any violation in automated pipelines.

How it works

1

Load policy

Reads the policy file from --policy. If the file is absent, SCAL-P proceeds with default settings and logs a warning.
2

Resolve dependencies

Runs the package manager’s lockfile-only resolution (equivalent to npm install --package-lock-only). This updates the lockfile without touching node_modules.
3

Parse lockfile

Reads every dependency node from the resolved lockfile — name, version, resolved URL, and integrity hash.
4

Evaluate policy rules

Checks each package against the allow/deny rules in your policy: trust mode (allowlist, denylist, audit-only), blocked patterns, and required properties.
5

Evaluate trust scores

If trust.min_score > 0 or trust.require_hash is set in your policy, scores each package and appends any below-threshold violations to the result.
6

Report and enforce

If violations exist, applies the configured enforcement. With --ci or on_violation: block, exits 1. With warn, prints violations and exits 0. If no violations exist, logs policy check ok and exits 0.
scalp policy check does not write to .scalp/audit.log. It is a read-only inspection of your current policy and lockfile state.

Examples

# Check policy using default policy file and npm
scalp policy check

# Check against a different policy file
scalp policy check --policy .scalp/strict-policy.json

# Check with pnpm and block on any violation
scalp policy check --pm pnpm --ci

# Preview impact before adding a dependency
npm install some-new-package --package-lock-only
scalp policy check

Exit codes

CodeMeaning
0No violations found, or violations found with warn/log enforcement.
1Violations found and enforcement is block (via policy or --ci flag).

What it does not do

  • Does not install or modify node_modules.
  • Does not update .scalp/lockfile.json.
  • Does not write audit events.
  • Does not publish or transmit any data.
Run scalp policy check before scalp install --guarded when iterating on policy changes. It resolves faster than a full install and gives you immediate feedback on which packages would be blocked.

Build docs developers (and LLMs) love

Get started for freeTalk to us