Sonarwhal via the command line

I recently posted about Testing your website with sonarwhal, a great dynamic analysis tool that you can simply enter your website address into, and they’ll scan and return a report.

What I failed to mention (shame on me) is that you can also run this tool via the command line.  That’s right, they’re on npm as sonarwhal too.


It’s pretty straight forward to install (or so I thought!).

npm install -g --engine-strict sonarwhal

This failed for me, with an error code of EPERM, number -4048, “operation not permitted, rename (blah blah) …package.json”.  Oh dear!

I bit of Googling around and I’d tried a few different suggestions…

  • Upgrade Node as you need to be on 8.x as a minimum – if you’re on Windows and having a problem with this one, try reading Updating npm to latest version – this wasn’t the problem for me.
  • Run the Node  command line tool as administrator – this may have helped, but certainly didn’t resolve the problem for me.
  • Cleaning the npm cache – this can be done with the command “npm cache clean” but it’s not recommended – if you do it then you will get a message back saying that you should never need to do this, and the instruction to add the –force parameter.  I tried this, and it didn’t help either.
  • Closing code editing programs that may be reading the folder, such as Atom or Visual Studio – I didn’t have any open at this point.
  • Use yarn instead of npm – I never tried this one, as I wasn’t convinced it would make a difference, but it was on the list to try if nothing else did.
  • Finding the npm cache folder (%appdata%\npm\) and changing it’s properties so that it and all subfolders are not read-only – I tried this but it didn’t make a difference for me.
  • Disabling antivirus – now I was sceptical about this one, and it’s never a good idea to disable your antivirus, but this did actually work!  Technically I didn’t disable my antivirus though, I simply added the npm cache folder (%appdata%\npm\) to the exclusion list for on-access scanning.

So, now over the hurdle, a total of 823 packages were installed (for v1.11.2).


The next step is to initialise…

sonarwhal --init

This will ask you a couple of questions…

  1. Do you want to use a predefined configuration or create your own based on your installed packages? – I went for “predefined”.
  2. Choose the configuration you want to extend from – I want for “web-recommended”, but there was also an option for “progressive-web-app” which could be handy in future.

It will then go on and install more packages, 162 in my case.


The next thing to do is run it…


It will download, traverse and analyse your site, running all of the dynamic analysis that the web version of the tool does, but with the configuration that you have downloaded (which may or may not be the same).

In fact, for my website it turned up a total of 140 errors and 7 warnings, which is a little bit more than the web one turned up, so it’s likely that the web one is using slightly different default config.

You can also use the sonarwhal events to build this directly into your build process, which looks very exciting!  I think that’s for another day though.