Deno Permissions Builder

Deno Permissions Builder

Visually compose Deno --allow-* flags, build deno.json tasks, and produce the equivalent CLI invocation.

Presets
Risk score
100
Tight
Wildcards (no scope) reduce score most.
medium

Permission to read files and directories from the file system. Without arguments grants full read.

Example: --allow-read=./data,./public
high

Permission to write to files and directories. Scoping to specific paths is strongly recommended.

Example: --allow-write=./tmp
high

Network access. Can be scoped to host:port pairs to limit egress to known endpoints.

Example: --allow-net=api.openai.com:443,localhost:8000
medium

Read environment variables. Scope to specific keys to avoid leaking unrelated config.

Example: --allow-env=HOME,PORT,DATABASE_URL
high

Run subprocesses. The most dangerous permission — scope to specific binaries when possible.

Example: --allow-run=git,docker
low

System info access (hostname, osRelease, networkInterfaces, etc). Scope by API name.

Example: --allow-sys=hostname,osRelease
high

Load dynamic libraries (FFI). Equivalent to running native code — treat as code execution.

Example: --allow-ffi=./lib/native.so
medium

Permission to import remote modules from specific hosts (Deno 2+). Locks supply chain.

Example: --allow-import=deno.land,jsr.io
CLI invocation
deno run main.ts
deno.json
{
  "tasks": {
    "dev": "deno run  main.ts"
  },
  "compilerOptions": {
    "strict": true
  }
}
Permission philosophy

Always scope. Bare --allow-net hands every external host to the script. Pin to host:port pairs you actually need. For supply-chain safety, combine --allow-import with a lockfile and audit-on-update.

What This Tool Does

Deno Permissions Builder is built for deterministic developer and agent workflows.

Visually select Deno --allow-* flags (read, write, net, env, run, sys, ffi, hrtime), build deno.json/deno.jsonc tasks, and produce the equivalent CLI invocation. Explains permission scope per flag.

Use How to Use for execution steps and FAQ for constraints, policies, and edge cases.

Last updated:

This tool is provided as-is for convenience. Output should be verified before use in any production or critical context.

Agent Invocation

Best Path For Builders

Browser workflow

Runs instantly in the browser with private local processing and copy/export-ready output.

Browser Workflow

This tool is optimized for instant in-browser execution with local data handling. Run it here and copy/export the output directly.

/deno-permissions-builder/

For automation planning, fetch the canonical contract at /api/tool/deno-permissions-builder.json.

How to Use Deno Permissions Builder

  1. 1

    Pick a preset or start blank

    Choose a preset (Static file server, API proxy, Build tool) to load a sensible permission baseline, or start from a clean slate. The reset button clears all flags so you can build from zero.

  2. 2

    Toggle individual --allow flags

    Tick the checkbox for each permission your script needs. Each flag shows a risk badge (low/medium/high) and a description, so you understand what the permission actually exposes before granting it.

  3. 3

    Scope each permission

    Where supported, fill in the comma-separated scopes (paths, host:port pairs, env keys, binary names). Wildcard permissions cost the most against the risk score, so narrow scopes are strongly encouraged.

  4. 4

    Save tasks to deno.json

    Set a task name, click Save as task, and the deno.json output panel adds it to the tasks block. Repeat for dev/build/start variants — each task captures its own permission snapshot for repeatable runs.

  5. 5

    Copy the CLI or deno.json

    The CLI panel shows the equivalent deno run command. Copy either the CLI invocation for ad-hoc runs or the deno.json block for committing into the repo as the canonical task definition.

Frequently Asked Questions

Why scope permissions instead of using --allow-all?
Each --allow-* flag is an attack-surface multiplier. Scoping --allow-net to specific host:port pairs and --allow-read to known directories means a compromised dependency cannot exfiltrate arbitrary data or contact arbitrary hosts.
How is the risk score calculated?
It starts at 100 and subtracts a weight per enabled flag (high=25, medium=12, low=4). Wildcard scopes (no comma list) cost the full weight; narrow scopes cost about 40 percent. Higher score means tighter permissions.
Can I save multiple task variants?
Yes. Set a task name, configure flags, click Save as task, then change scopes and save another. Each saved task captures its own snapshot, ending up in the deno.json tasks block as separate, named entries.
Does it send my data to a server?
No. The builder runs entirely in your browser. Permission spec, scopes, task names, and generated commands or deno.json blocks never leave your device.
What about --allow-import?
Deno 2 introduced --allow-import to lock down which hosts can serve modules. Combine it with deno.lock and a periodic deno cache --reload audit to lock down your supply chain.