Sonarwhal via the command line

I recently posted about Testing your website with sonarwhal, a great dynamic analysis tool that you can simply enter your website address into, and they’ll scan and return a report.

What I failed to mention (shame on me) is that you can also run this tool via the command line.  That’s right, they’re on npm as sonarwhal too.


It’s pretty straight forward to install (or so I thought!).

npm install -g --engine-strict sonarwhal

This failed for me, with an error code of EPERM, number -4048, “operation not permitted, rename (blah blah) …package.json”.  Oh dear!

I bit of Googling around and I’d tried a few different suggestions…

  • Upgrade Node as you need to be on 8.x as a minimum – if you’re on Windows and having a problem with this one, try reading Updating npm to latest version – this wasn’t the problem for me.
  • Run the Node  command line tool as administrator – this may have helped, but certainly didn’t resolve the problem for me.
  • Cleaning the npm cache – this can be done with the command “npm cache clean” but it’s not recommended – if you do it then you will get a message back saying that you should never need to do this, and the instruction to add the –force parameter.  I tried this, and it didn’t help either.
  • Closing code editing programs that may be reading the folder, such as Atom or Visual Studio – I didn’t have any open at this point.
  • Use yarn instead of npm – I never tried this one, as I wasn’t convinced it would make a difference, but it was on the list to try if nothing else did.
  • Finding the npm cache folder (%appdata%\npm\) and changing it’s properties so that it and all subfolders are not read-only – I tried this but it didn’t make a difference for me.
  • Disabling antivirus – now I was sceptical about this one, and it’s never a good idea to disable your antivirus, but this did actually work!  Technically I didn’t disable my antivirus though, I simply added the npm cache folder (%appdata%\npm\) to the exclusion list for on-access scanning.

So, now over the hurdle, a total of 823 packages were installed (for v1.11.2).


The next step is to initialise…

sonarwhal --init

This will ask you a couple of questions…

  1. Do you want to use a predefined configuration or create your own based on your installed packages? – I went for “predefined”.
  2. Choose the configuration you want to extend from – I want for “web-recommended”, but there was also an option for “progressive-web-app” which could be handy in future.

It will then go on and install more packages, 162 in my case.


The next thing to do is run it…


It will download, traverse and analyse your site, running all of the dynamic analysis that the web version of the tool does, but with the configuration that you have downloaded (which may or may not be the same).

In fact, for my website it turned up a total of 140 errors and 7 warnings, which is a little bit more than the web one turned up, so it’s likely that the web one is using slightly different default config.

You can also use the sonarwhal events to build this directly into your build process, which looks very exciting!  I think that’s for another day though.


Testing your website with sonarwhal

Yesterday I was watching a great Pluralsight course called Play by Play: Javascript Security by Troy Hunt and Aaron Powell.  In this course they discuss a number of security related things, including auth tokens, caching, service workers, third-party library vulnerabilities and client-side validation.  Aaron also introduced me to a tool that I hadn’t heard of before, called sonarwhal. If you’re…

Updating npm to latest version

Recently I had some trouble updating npm to the latest version on Windows, which was driving me crazy until a StackOverflow thread pointed me in the right direction.  Unfortunately I can’t find the thread again, but as this was just a passing comment and not an answer, I thought it would be worth immortalising it here. By…

HTTP is dead

I really should stop with the clickbait headlines!  A couple of months ago I posted about how SEO is dead and now I’m doing it again. Well, this time I can safely say that HTTP is not in fact dead.  But it is losing out to HTTPS, as more and more websites are going secure. There are…

SEO is dead

Ok ok, so it’s not exactly dead… or is it?  No, it’s not.  Well, depends on what you really mean, I guess. Search Engine Optimisation has always been big business, ever since there were search engines.  And ever since then, people have been saying that SEO has been dead. For me, SEO is an evolution,…


I’ve recently received some really positive feedback for some work I’ve done, and I was chuffed to bits.  I’m not massively good at bragging, even the artful humble brag, but I think I really should add a testimonials page to my site when I get the chance, so I can look back and try to…