@aikidosec/safe-chain 1.0.20 → 1.0.21

package/README.md

@@ -1,6 +1,6 @@
 # Aikido Safe Chain
 
-The Aikido Safe Chain **prevents developers from installing malware** on their workstations through npm, npx, yarn, pnpm and pnpx.
+The Aikido Safe Chain **prevents developers from installing malware** on their workstations through npm, npx, yarn, pnpm and pnpx. It's **free** to use and does not require any token.
 
 The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm or pnpx from downloading or running the malware.
 
@@ -67,6 +67,21 @@ To uninstall the Aikido Safe Chain, you can run the following command:
    ```
 3. **❗Restart your terminal** to remove the aliases.
 
+# Configuration
+
+## Malware Action
+
+You can control how Aikido Safe Chain responds when malware is detected using the `--safe-chain-malware-action` flag:
+
+- `--safe-chain-malware-action=block` (**default**) - Automatically blocks installation and exits with an error when malware is detected
+- `--safe-chain-malware-action=prompt` - Prompts the user to decide whether to continue despite the malware detection
+
+Example usage:
+
+```shell
+npm install suspicious-package --safe-chain-malware-action=prompt
+```
+
 # Usage in CI/CD
 
 🚧 Support for CI/CD environments is coming soon...

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.20",
+  "version": "1.0.21",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",

package/src/config/cliArguments.js

@@ -0,0 +1,50 @@
+const state = {
+  malwareAction: undefined,
+};
+
+const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
+
+export function initializeCliArguments(args) {
+  // Reset state on each call
+  state.malwareAction = undefined;
+
+  const safeChainArgs = [];
+  const remainingArgs = [];
+
+  for (const arg of args) {
+    if (arg.toLowerCase().startsWith(SAFE_CHAIN_ARG_PREFIX)) {
+      safeChainArgs.push(arg);
+    } else {
+      remainingArgs.push(arg);
+    }
+  }
+
+  setMalwareAction(safeChainArgs);
+
+  return remainingArgs;
+}
+
+function setMalwareAction(args) {
+  const safeChainMalwareActionArg = SAFE_CHAIN_ARG_PREFIX + "malware-action=";
+
+  const action = getLastArgEqualsValue(args, safeChainMalwareActionArg);
+  if (!action) {
+    return;
+  }
+  state.malwareAction = action.toLowerCase();
+}
+
+function getLastArgEqualsValue(args, prefix) {
+  for (var i = args.length - 1; i >= 0; i--) {
+    const arg = args[i];
+    if (arg.toLowerCase().startsWith(prefix)) {
+      return arg.substring(prefix.length);
+    }
+  }
+
+  return undefined;
+}
+
+export function getMalwareAction() {
+  return state.malwareAction;
+}

package/src/config/settings.js

@@ -0,0 +1,14 @@
+import * as cliArguments from "./cliArguments.js";
+
+export function getMalwareAction() {
+  const action = cliArguments.getMalwareAction();
+
+  if (action === MALWARE_ACTION_PROMPT) {
+    return MALWARE_ACTION_PROMPT;
+  }
+
+  return MALWARE_ACTION_BLOCK;
+}
+
+export const MALWARE_ACTION_BLOCK = "block";
+export const MALWARE_ACTION_PROMPT = "prompt";

package/src/main.js

@@ -3,9 +3,13 @@
 import { scanCommand, shouldScanCommand } from "./scanning/index.js";
 import { ui } from "./environment/userInteraction.js";
 import { getPackageManager } from "./packagemanager/currentPackageManager.js";
+import { initializeCliArguments } from "./config/cliArguments.js";
 
 export async function main(args) {
   try {
+    // This parses all the --safe-chain arguments and removes them from the args array
+    args = initializeCliArguments(args);
+
     if (shouldScanCommand(args)) {
       await scanCommand(args);
     }

package/src/scanning/index.js

@@ -4,6 +4,7 @@ import { setTimeout } from "timers/promises";
 import chalk from "chalk";
 import { getPackageManager } from "../packagemanager/currentPackageManager.js";
 import { ui } from "../environment/userInteraction.js";
+import { getMalwareAction, MALWARE_ACTION_PROMPT } from "../config/settings.js";
 
 export function shouldScanCommand(args) {
   if (!args || args.length === 0) {
@@ -59,10 +60,7 @@ export async function scanCommand(args) {
     spinner.succeed("No malicious packages detected.");
   } else {
     printMaliciousChanges(audit.disallowedChanges, spinner);
-    await acceptRiskOrExit(
-      "Do you want to continue with the installation despite the risks?",
-      false
-    );
+    await onMalwareFound();
   }
 }
 
@@ -74,19 +72,23 @@ function printMaliciousChanges(changes, spinner) {
   }
 }
 
-async function acceptRiskOrExit(message, defaultValue) {
+async function onMalwareFound() {
   ui.emptyLine();
-  const continueInstall = await ui.confirm({
-    message: message,
-    default: defaultValue,
-  });
-
-  if (continueInstall) {
-    ui.writeInformation("Continuing with the installation...");
-    return;
+
+  if (getMalwareAction() === MALWARE_ACTION_PROMPT) {
+    const continueInstall = await ui.confirm({
+      message:
+        "Malicious packages were found. Do you want to continue with the installation?",
+      default: false,
+    });
+
+    if (continueInstall) {
+      ui.writeWarning("Continuing with the installation despite the risks...");
+      return;
+    }
   }
 
-  ui.writeInformation("Exiting without installing packages.");
+  ui.writeError("Exiting without installing malicious packages.");
   ui.emptyLine();
   process.exit(1);
 }