Security Scorecard

The scorecard analyses your upload security configuration and returns a letter grade (A–F) with specific findings and actionable recommendations. Great for CI gates, pull request checks, and sharing on social media.

Overview

Seven security checks are evaluated, each with a weighted score out of 100:

Virus scanning enabled — 30 pts
MIME type allowlist — 20 pts
No disk write before scan — 15 pts
File size limit — 10 pts
Scan error behavior is reject — 10 pts
clamd unavailable behavior is reject — 10 pts
TLS enabled on upload endpoint — 5 pts

API usage

const { generateScorecard } = require('pompelmi');

const scorecard = await generateScorecard({
  scanEnabled:              true,
  mimeTypeAllowlist:        ['image/jpeg', 'image/png', 'application/pdf'],
  fileSizeLimit:            10 * 1024 * 1024, // 10 MB
  diskWriteBeforeScan:      false,
  scanErrorBehavior:        'reject',
  clamdUnavailableBehavior: 'reject',
  tlsEnabled:               true,
});

console.log(scorecard.grade);        // 'A'
console.log(scorecard.score);        // 100
console.log(scorecard.findings);     // array of { check, status, weight }
console.log(scorecard.recommendations); // [] (empty when all pass)

Return value

{
  grade:           'A' | 'B' | 'C' | 'D' | 'F';
  score:           number; // 0–100
  findings:        Array<{ check: string; status: 'pass' | 'fail'; weight: number }>;
  recommendations: string[];
}

CLI usage

# Grade your config interactively
npx pompelmi scorecard --config ./pompelmi.config.js

Example output:

  Upload Security Scorecard

  Grade: A   Score: 100/100

  ✓  Virus scanning enabled                    (weight: 30)
  ✓  MIME type allowlist                        (weight: 20)
  ✓  File size limit                            (weight: 10)
  ✓  No disk write before scan                  (weight: 15)
  ✓  Scan error behavior is reject              (weight: 10)
  ✓  clamd unavailable behavior is reject       (weight: 10)
  ✓  TLS enabled on upload endpoint             (weight: 5)

Checks & weights

Config key	Check	Weight	Pass condition
`scanEnabled`	Virus scanning enabled	30	`true`
`mimeTypeAllowlist`	MIME type allowlist	20	Non-empty array
`diskWriteBeforeScan`	No disk write before scan	15	`false`
`fileSizeLimit`	File size limit	10	Positive number
`scanErrorBehavior`	Scan error behavior is reject	10	`'reject'`
`clamdUnavailableBehavior`	clamd unavailable behavior is reject	10	`'reject'`
`tlsEnabled`	TLS enabled on upload endpoint	5	`true`

Grade thresholds

Grade	Score range
A	90–100
B	75–89
C	60–74
D	45–59
F	0–44

Config file

Create a pompelmi.config.js at your project root and pass it via --config:

// pompelmi.config.js
module.exports = {
  scanEnabled:              true,
  mimeTypeAllowlist:        ['image/jpeg', 'image/png', 'application/pdf'],
  fileSizeLimit:            5 * 1024 * 1024,
  diskWriteBeforeScan:      false,
  scanErrorBehavior:        'reject',
  clamdUnavailableBehavior: 'reject',
  tlsEnabled:               true,
};

TypeScript

import { generateScorecard, ScorecardConfig, ScorecardResult } from 'pompelmi';

const config: ScorecardConfig = {
  scanEnabled: true,
  mimeTypeAllowlist: ['image/jpeg'],
  fileSizeLimit: 10_000_000,
  diskWriteBeforeScan: false,
  scanErrorBehavior: 'reject',
  clamdUnavailableBehavior: 'reject',
  tlsEnabled: true,
};

const result: ScorecardResult = await generateScorecard(config);