Comment on page

Filtering output

Customize the output format of verdicts

lstn scan results can be filtered through various methods, allowing for a flexible range of use cases. For example:
Whitelisting packages: lstn can ignore dependencies by name and type. If configured, the applicable packages will not be included in the scan.
Defining rule-based policy: the required context from verdicts can be filtered and used to assert policies. For example, blocking a CI build in case of a dependency with "priority": "critical". Read more about policies here.
Building workflows on top of verdicts: examples include integration with a reporting tool, writing to a database, or visualization in a dashboard.
See the options below to configure lstn based on your needs:
Filtering output using CLI flags:
For example:
lstn scan --ignore-deptypes=dev --ignore-packages=lodash,react
This feature only works for lstn scan at the moment.
Filtering output using config file (lstn.yml)
...
filtering:
  ignore:
    packages:
      - "donotprocessme"
      - "react"
    deptypes:
     - "peer"
Filtering output using env vars:
LSTN_IGNORE_DEPTYPES=peer,optional
LSTN_IGNORE_PACKAGES=react,@vue/devtools
Filtering output using jq
lstn scan results can produce JSON output using the --json flag. The JSON output can be filtered through jq expressions through a built-in utility accessible through the -q flag. 
Below are some examples of how the output of lstn commands can be filtered using jq expressions:
Only return packages with verdicts
To return only the packages that have a verdict, use the following command:
lstn to <package-name> --json -q '.[] | select(.verdicts != [])'
Return verdicts based on priority level
To return only the packages for a specific priority level, use the following command:
lstn to <package name> --json -q '.[] | .verdicts[] | select(.priority == "<priority level>")’
For example, lstn to jq --json -q '.[] | .verdicts[] | select(.priority == "critical")’
Return verdicts based on a specific package name or version
To return only the packages that have a verdict, use the following command:
lstn scan <project directory> --json -q select(.name == "<package name>")
For example, lstn to jq --json -q -c select(.name == "lodash")'
Get all verdicts for a specified message
To get all verdicts for a specified message, use the following command:
lstn to <package name> --json -q '.[] | .verdicts[] | select(.message == "unexpected outbound connection destination")’
Replace the <package name> with your desired package, and "unexpected outbound connection destination" with the message you want to retrieve verdicts for. The output of this command will be a list of verdicts for the specified message.
Return verdicts for the specified metadata value
To return only the packages that have a verdict, use the following command:
lstn to <package name> --json -q '.[] | .verdicts[] | .metadata | select(.<metadata key> == <metadata-value>)’
Replace the 443 with the metadata value you want to retrieve verdicts for. The output of this command will be a list of verdicts for the specified metadata value.
For example lstn to jq --json -q '.[] | .verdicts[] | .metadata | select(.server_port == 443)’
​
List the names of all packages
To return only the packages that have a verdict, use the following command:
lstn --json -q '.[] | .name’
Return a list of verdicts
To return only the packages that have a verdict, use the following command:
lstn --json -q '.[] | .verdicts'
This combination outputs only packages with verdicts.

Last modified 7mo ago

Filtering output

Filtering output using CLI flags:

Filtering output using config file (`lstn.yml`)

Filtering output using env vars:

Filtering output using `jq`

Only return packages with verdicts

Return verdicts based on priority level

Return verdicts based on a specific package name or version

Get all verdicts for a specified message

Return verdicts for the specified metadata value

List the names of all packages

Return a list of verdicts