DaloyJS

Search docs

Jump between documentation pages.

Browse docs

Recommended scanning tools

Yes: we recommend pairing DaloyJS with external security scanning. The framework gives you strong defaults in the source tree — blocked lifecycle scripts, source-verified lockfiles, a 24h release-age cooldown, strict schema conventions, fetchGuard SSRF controls, JWT algorithm allowlists, timing-safe comparisons, and many verify:* CI gates. See Supply-chain security for the full posture.

External scanners cover the moving parts DaloyJS cannot know from inside your repository: newly disclosed CVEs, live registry threat intel, dependency behavior changes, container image risk, cloud and IaC drift, and DAST checks against a running API. The right mental model is defense-in-depth: DaloyJS keeps dangerous defaults out of the app; Socket, Snyk, and Aikido keep watching the world around the app.

Facts on this page were checked against the vendors' public docs on 2026-05-24. Product names, plan limits, and packaging details can change, so this page links to source docs instead of freezing pricing claims into our docs.

Quick recommendation

Use caseRecommended setup
Small DaloyJS app, mostly npm dependenciesSocket for GitHub + Socket Firewall Free + keep DaloyJS's .npmrc defaults.
Audit-heavy team or customer security questionnaireSnyk for SCA/SAST reports, PR checks, fix PRs, and container/IaC evidence.
Team wants one AppSec dashboardAikido for code scanning, PR/release gating, container scanning, cloud scanning, DAST/surface monitoring, and optional Zen Firewall.
Security-sensitive production systemSocket for supply-chain behavior + Snyk or Aikido for broader AppSec coverage. Require status checks before merging.

Socket: supply-chain defense

Socket is the best fit when your main worry is malicious, compromised, or suspicious open-source packages. Its current docs emphasize several entry points: Socket for GitHub for pull-request feedback, the Socket CLI for scans and policy automation, and Socket Firewall for install-time blocking.

Why use it

  • Socket watches package behavior, not only known CVEs. Its alert types include install scripts, telemetry, native code, known malware, typosquats, git/http dependencies, obfuscated code, shell access, network access, environment-variable access, and filesystem access.
  • That maps directly to DaloyJS's own guardrails: verify:known-dep-names, verify:no-lifecycle-scripts, verify:no-registry-exfiltration, hardened lockfile checks, and the 24h release-age cooldown.
  • Socket Firewall Free currently supports JavaScript/TypeScript package managers including npm, yarn, and pnpm. It sits in front of installs and blocks confirmed malware before the package reaches your filesystem.

When to use it

  • Use Socket for every DaloyJS project that accepts dependency PRs from Dependabot, Renovate, humans, or agents.
  • Use Socket Firewall before local or CI installs that add or refresh dependencies, especially pnpm add, pnpm install, and template validation jobs.
  • Use the Socket CLI when you are not on GitHub, when you want a policy-gating command in CI, or when you need scan reports for a dashboard.

How to use it

  1. Install Socket for GitHub on the repositories that contain DaloyJS apps. Socket starts analyzing pull requests that change package manifests and lockfiles.
  2. Add the Socket status check to branch protection after the signal is tuned. Start in comment-only mode if the team needs a few days to calibrate.
  3. Install Socket Firewall Free for local dependency changes. Keep DaloyJS's ignore-scripts=true in place; Firewall decides whether a package should download, and ignore-scripts prevents lifecycle execution.
  4. For CI or non-GitHub workflows, use socket ci or socket scan create --report.
bash
npm i -g sfw

# Put Socket Firewall in front of installs that change dependencies.
sfw pnpm add zod
sfw pnpm install

# Socket Firewall Free also supports npm, yarn, pip, uv, and cargo.
sfw npm install
sfw yarn install
bash
npm install -g socket
socket login

# Create a scan and fail if it violates your Socket policy.
socket scan create --report --repo="daloy-api" --branch="main" .

# In CI, socket ci is the shorter policy-gating command.
socket ci

Snyk: CVE, SAST, container, and IaC scanning

Snyk is the most audit-recognizable choice. Its current docs position Snyk as a developer-first scanning platform for SAST, DAST, SCA, and IaC. The product docs split this into Snyk Open Source, Snyk Code, Snyk Container, Snyk IaC, and Snyk API & Web.

Why use it

  • Snyk is strong when you need CVE evidence, vulnerability remediation guidance, automated fix PRs, and reports that security reviewers already know how to read.
  • It catches a different class of issue than Socket: not just suspicious package behavior, but known vulnerable versions, first-party code findings, container base-image issues, Terraform/Kubernetes mistakes, and API/web findings.
  • Its GitHub integration can run PR checks, regularly monitor imported projects, and open signed fix or upgrade pull requests when fixes are available.

When to use it

  • Use Snyk when customers, auditors, or procurement ask for an SCA/SAST program with recognizable reports.
  • Use it for projects that ship containers, Kubernetes manifests, Terraform, or other infrastructure code alongside the DaloyJS API.
  • Use the CLI before releases when you want a local or CI gate with explicit exit codes. The current snyk test command exits non-zero when vulnerabilities are found, and snyk monitorcreates a monitored dependency snapshot.

How to use it

  1. Start with Snyk's getting started guide, create or join the correct organization, and confirm your region and token policy.
  2. Connect the GitHub integration and import the repo. Enable PR checks for Open Source and Code, then tune severity thresholds before requiring the checks.
  3. Install the Snyk CLI for local and CI scans. Review Snyk's CLI code-execution warning before scanning untrusted code.
  4. Use snyk test --all-projects for dependency scans, snyk code test for source scanning, and snyk monitor for ongoing Open Source or Container monitoring snapshots.
bash
npm install -g snyk
snyk auth

# Open-source dependency and license scan.
snyk test --all-projects --severity-threshold=high

# First-party source scan.
snyk code test

# Snapshot dependencies for ongoing monitoring in Snyk.
snyk monitor --all-projects --target-reference=main

Aikido: consolidated AppSec workflow

Aikido Security is a strong recommendation when a team wants one place for most AppSec signals. The current docs cover code scanning for dependencies, SAST, IaC, secrets, malware, and more; PR and release gating; container image scanning; DAST / surface monitoring; cloud scanning; AutoFix; and Zen Firewall for runtime protection.

Why use it

  • Aikido is useful when you want broad coverage without stitching together many vendors. A single repo can have dependency, SAST, IaC, secrets, malware, license, code quality, container, DAST/API, and cloud findings in one workflow.
  • Its PR gating scans branch diffs and can fail only on new findings at or above your configured severity threshold. That makes rollout easier on older apps with existing backlog.
  • DaloyJS emits OpenAPI by design, which pairs naturally with Aikido's API scanning and surface monitoring when you deploy a staging or production endpoint.

When to use it

  • Use Aikido when a small or mid-size team wants one security inbox and one triage workflow instead of separate SCA, SAST, DAST, IaC, container, and secrets tools.
  • Use it when you want branch-level PR gating first, then release gating once the signal is tuned.
  • Use DAST/API scanning after the DaloyJS app has a stable staging URL and a generated OpenAPI document.
  • Consider Zen Firewall only when you want an additional runtime WAF-like layer. It does not replace DaloyJS's built-in runtime guardrails.

How to use it

  1. Connect your source control from Connect Your Source Code. Aikido supports GitHub, GitHub Enterprise, GitLab, Bitbucket, and Azure DevOps paths in the current docs.
  2. Enable PR gating from PR Gating Overview. Start with visibility mode or a high severity threshold, then require the check after triage rules are clear.
  3. If source code cannot leave your environment, evaluate Local Code Scanning. Aikido recommends standard integrations for most teams because they provide faster results and better coverage.
  4. If you ship Docker images, connect the registry or run local image scanning before publish. Aikido tracks CVEs, licenses, EOL runtimes, SBOMs, and base-image remediation.
  5. Add API scanning against a staging URL. For DaloyJS, publish or upload the generated OpenAPI document from pnpm gen / your docs route so the scanner understands routes, methods, schemas, and auth expectations.

How they compare

ToolBest atUse with DaloyJS when
SocketMalicious-package behavior, install-time blocking, lockfile PR review, package reputation, supply-chain risk.Dependency changes are frequent, agents add packages, or you want a specific layer against npm/pnpm ecosystem attacks.
SnykCVE-backed SCA, SAST, container and IaC scanning, PR checks, fix/upgrade pull requests, audit-friendly reporting.Security questionnaires, SOC 2 / ISO 27001 evidence, customer reviews, or a bigger remediation backlog matter.
AikidoBroad AppSec coverage in one dashboard: code, deps, secrets, malware, IaC, containers, DAST/API, cloud, PR/release gates.You want one operational workflow and fast triage across the whole application, not just npm dependencies.

Recommended rollout

  1. Keep the DaloyJS defaults first: ignore-scripts=true, release-age cooldown, source-verified lockfiles, and the project's verify:* gates.
  2. Install Socket for GitHub and Socket Firewall for all developers who change dependencies. This gives immediate supply-chain feedback.
  3. Add either Snyk or Aikido for broader SAST/SCA/IaC/container/API coverage. Teams with audit pressure usually start with Snyk; teams optimizing for one dashboard often start with Aikido.
  4. Run scanners in observe-only mode for a short window. Fix obvious criticals, document accepted risk, then require status checks on new findings.
  5. Make ownership explicit. Every ignored finding should have a reason, an expiry, and a person or team responsible for revisiting it.

What no scanner replaces

Do not turn off framework controls after adding a scanner. The scanner tells you what it can see; the framework still needs to refuse dangerous behavior by default.

  • Keep ignore-scripts=true. Even excellent scanners can miss day-zero payloads before a signal exists.
  • Keep the 24h release-age cooldown. It gives the registry, vendors, and maintainers time to detect and yank bad versions.
  • Keep fetchGuard, schema .strict(), JWT algorithm allowlists, timing-safe secret comparisons, secure headers, rate limits, body limits, and request timeouts.
  • Keep reviewing lockfile diffs. A scanner comment is a signal; it is not a substitute for ownership of what ships.

Freshness policy

To keep this page current, review the linked vendor docs when changing recommendations and before major DaloyJS releases. Avoid hardcoding plan limits or seat counts; link to the vendors' pricing pages instead: Socket pricing, Snyk plans, and Aikido pricing. If a vendor renames a product module, update the wording here and keep the old name out unless it is still present in the current docs.

Disclosure

DaloyJS has no commercial relationship with Socket, Snyk, or Aikido. These recommendations are based on how their current public products map to DaloyJS's threat model: secure-by-default framework controls plus external visibility into dependencies, code, containers, cloud, and live APIs.