npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

snoka-cli

v1.4.0

Published

Snoka — noses through your Google Workspace and finds security exposures. Keyless scanning, security score, CIS-mapped audit reports.

Readme

Snoka 🐭

npm node website

Find what your Google Workspace is exposing. Snoka noses through every user, file, group and admin setting in your tenant, scores its security posture, and produces an audit-ready, CIS-mapped report — from a terminal on your machine, with nothing installed in the tenant and no key files to guard.

Why Snoka

  • Keyless. No service-account JSON key is ever created — the classic leak-a-credential-to-audit-credentials problem doesn't exist here. You sign in with your Google account; Snoka mints short-lived tokens through domain-wide delegation. Works under Secure-by-Default org policy.
  • There is no Snoka cloud. Scans run on your computer against Google's own APIs. Findings, reports and history are written to your disk and emailed by your own admin account. Nothing ever reaches us — there is no backend to breach.
  • Audit-ready evidence. Every report carries a severity-weighted security score (0–100, A–F), findings cite CIS Google Workspace Foundations Benchmark controls, and an appendix documents methodology, accepted risks and every remediation action. PDF for people, CSV and JSON for machines.

Quick start

npm install -g snoka-cli
snoka

On first run a setup wizard in the terminal takes it from there: it asks for your super-admin email, domain(s) and service account, writes snoka.config.json for you, opens the browser once to sign you in, and ends with a pre-filled Admin console link for the one step Google makes you do yourself (authorizing domain-wide delegation — one click). It then offers to verify every API and scope with one cheap probe each; re-run that any time with snoka doctor.

One-time Google Cloud prerequisites (a project, a keyless service account, an OAuth desktop client) are listed below — about ten minutes, and repeat machines skip straight to npm install.

Scanning and triage are free. Reports, email delivery, scheduling and remediation are Pro — after checkout your license key arrives by email: snoka license activate <key>.

The ten checks

| Check | What it flags | CIS | | --- | --- | --- | | drive-shares | Files visible to anyone with the link, or shared to external people, groups and domains — across every user's Drive | 4.2–4.4 | | shared-drives | External members and organizers on shared drives; files opened to anyone by link or public search | 4.2–4.4 | | account-hygiene | Admins without 2-step verification, unenrolled users, stale and suspended accounts | 1.1, 1.2 | | third-party-apps | OAuth grants holding full Gmail, full Drive or admin scopes, rated by reach — plus app passwords that skip 2SV | 2.1, 2.3 | | mail-forwarding | Auto-forwards, forwarding filters and mailbox delegates pointing outside the organization | 5.1, 5.17 | | group-exposure | External members and owners; groups anyone on the internet can join, read or post to | — | | admin-policy | Tenant-wide settings left risky: 2SV enforcement, password rules, session length, sharing defaults, POP/IMAP and more | 1.1–5.17 | | sign-in-activity | What Google itself flagged in the last 30 days: suspicious sign-ins, leaked-password and hijack suspensions, failed-sign-in bursts | — | | admin-audit | Access-expanding actions from the last 90 days: new super admins, admin-role grants, new domain-wide delegation, 2SV rollbacks | — | | email-auth | Missing or weak SPF, DKIM and DMARC records that let outsiders send mail as your domain | — |

Found in one pass, deduplicated, and tracked scan-over-scan. Run everything with snoka all, one check with snoka <id>, or pick from the menu.

The report

  • Security score, 0–100 with a grade — severity-weighted, so one critical exposure outweighs ten trivia; accepted risks are excluded.
  • CIS benchmark mapping — findings cite controls; the appendix lists every assessed control as CLEAR or OPEN.
  • Trends — each scan is remembered (.snoka-state/history/), so reports show New / Resolved since last scan.
  • Audit appendix — methodology per check, the accepted-risk register, and the remediation action log; each report is self-contained evidence with a report ID and tool version.

Reports land in reports/ — a summary PDF, a CSV per check, and a JSON. Running several checks together produces one combined Workspace Security Report.

Email & scheduled scans

Under Options (menu or snoka options):

  • Email reports — sends the finished PDF from your admin account via the Gmail API (adds the gmail.send scope, pre-filled link provided). Choose every scan or only when there are new findings.
  • Scheduled scans — runs snoka all --email daily or weekly unattended. On Windows, Snoka creates the Task Scheduler entry for you; on macOS/Linux it prints the exact cron line to add. If a scheduled run fails (most commonly an expired Google sign-in — email can't reach you then either, since it rides on the same credential), Snoka warns you the next time you open it and offers to repair the sign-in on the spot.

Review & revoke (opt-in remediation)

Every scan feeds a local findings database, so triage doesn't mean digging through report files:

  • snoka review — bulk-first triage: pick a slice (all / severity / check / external domain), then queue for revoke or accept as known risk (writes the allowlist for you). Acting on "everything shared to @gmail.com" is one action, not a thousand ticks.
  • snoka revoke — executes the queue: re-verifies each exposure live, shows the plan, asks for confirmation, then removes the access — Drive file permissions, external group members, risky OAuth app grants, and external mail forwarding/delegation. Every action is logged.

Snoka is read-only by default. revoke refuses to run until you enable remediation mode under Options, which hands you a pre-filled Admin console link adding the required write scopes — and disabling it offers the reverse link that shrinks the grant back.

Changes are reversible (with one honest exception). Each revoke records an undo payload, and Options → Revert Snoka's changes (or snoka revert) restores it all — re-shares the files, re-adds the members and delegates, re-enables the forwarding — with the same gates: opt-in, confirmed, logged. The exception: a revoked OAuth app grant can only be restored by the user re-authorizing the app — Snoka says so before you confirm. Re-added forwarding addresses trigger Gmail's verification email again.

Accepted risks

Accepted findings live in snoka.allowlist.json — the review screen writes it for you (or copy a finding's _sig from the JSON report, see snoka.allowlist.example.json). They're hidden from reports and counted separately — never as "resolved".

Where your data lives

A global install keeps snoka.config.json, snoka.allowlist.json, .snoka-state/ and reports/ in a per-user directory (%LOCALAPPDATA%\snoka on Windows, ~/.config/snoka elsewhere), so upgrading the package never touches your config, sign-in or license. A repo clone keeps everything at the repo root. Set SNOKA_HOME to override either.

One-time Google Cloud setup

All of it lives in your GCP project and persists forever — repeat machines skip straight to Quick start.

  1. A GCP project → enable APIs: Admin SDK, Google Drive, Gmail, Groups Settings, IAM Service Account Credentials, and IAM (the last one lets the wizard look up the service account's Unique ID and pre-fill the domain-wide-delegation link for you).

  2. A service account (e.g. snoka-scanner) — no key. Its email is what the wizard asks for.

  3. An OAuth client ID of type Desktop app (APIs & Services → Credentials → Create credentials → OAuth client ID). The wizard asks for its client ID and secret — this is what lets Snoka sign you in from the browser with no gcloud install.

  4. Grant your super-admin account the Service Account Token Creator role on the service account.

  5. After the wizard: Admin console → Security → API controls → Domain-wide delegation → add the service account's Unique ID with the scopes the wizard prints:

    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/drive.metadata.readonly,
    https://www.googleapis.com/auth/drive.readonly,
    https://www.googleapis.com/auth/admin.directory.user.security,
    https://www.googleapis.com/auth/gmail.settings.basic,
    https://www.googleapis.com/auth/admin.directory.group.readonly,
    https://www.googleapis.com/auth/apps.groups.settings,
    https://www.googleapis.com/auth/cloud-identity.policies.readonly,
    https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
    https://www.googleapis.com/auth/admin.reports.audit.readonly

    (A check whose scope you skipped is skipped with a message telling you which scope to add — the others still run.)

    After you click Authorize, the wizard offers to verify every API and scope with one cheap probe each and tells you exactly what's missing and where to fix it. Re-run the verification any time with snoka doctor — fresh grants can take a few minutes to propagate.

Prefer gcloud? The wizard also offers "gcloud ADC" as the sign-in method — if you already use gcloud auth application-default login, pick that and skip the OAuth client entirely. Env vars (SNOKA_SA, SNOKA_ADMIN, SNOKA_DOMAINS, SNOKA_CONCURRENCY, SNOKA_OAUTH_CLIENT_ID, SNOKA_OAUTH_CLIENT_SECRET) override the config file for CI use. snoka.config.json and the cached sign-in token are git-ignored.

Requirements & pricing

Any machine with Node 18+ (Windows, macOS or Linux), a super-admin account, and any Workspace edition with API access — Business Starter and up.

| | Free | Pro €19/mo | MSP €99/mo | | --- | --- | --- | --- | | All ten checks, score, triage & review queue | ✓ | ✓ | ✓ | | Audit-ready PDF, CSV and JSON reports | | ✓ | ✓ | | CIS benchmark mapping & appendix | | ✓ | ✓ | | Email delivery & scheduled scans | | ✓ | ✓ | | Remediation with one-command revert | | ✓ | ✓ | | Domains covered | 1 | 1 | 10 |

14-day free trial on paid plans, prices ex-VAT, cancel any time — snoka.app.

Where this is going

The endgame is zero GCP setup: Snoka as a Google Workspace Marketplace app — an admin clicks Install, approves one consent screen, and that single action grants the delegation. No project, no service account, no manual scopes. The CLI's in-terminal OAuth sign-in is the first step down this road; the hosted edition replaces the remaining setup entirely.


Google Workspace is a trademark of Google LLC. Snoka is not affiliated with or endorsed by Google. · Terms · Privacy · [email protected]