@aikidosec/safe-chain 1.1.10 → 1.2.0

package/README.md

@@ -1,5 +1,10 @@
+![Aikido Safe Chain](./docs/banner.svg)
+
 # Aikido Safe Chain
 
+[![NPM Version](https://img.shields.io/npm/v/%40aikidosec%2Fsafe-chain?style=flat-square)](https://www.npmjs.com/package/@aikidosec/safe-chain)
+[![NPM Downloads](https://img.shields.io/npm/dw/%40aikidosec%2Fsafe-chain?style=flat-square)](https://www.npmjs.com/package/@aikidosec/safe-chain)
+
 - ✅ **Block malware on developer laptops and CI/CD**
 - ✅ **Supports npm and PyPI** more package managers coming
 - ✅ **Blocks packages newer than 24 hours** without breaking your build
@@ -22,29 +27,45 @@ Aikido Safe Chain works on Node.js version 16 and above and supports the followi
 
 ## Installation
 
-Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
+Installing the Aikido Safe Chain is easy with our one-line installer.
 
-1. **Install the Aikido Safe Chain package globally** using npm:
-   ```shell
-   npm install -g @aikidosec/safe-chain
-   ```
-2. **Setup the shell integration** by running:
+> ⚠️ **Already installed via npm?** See the [migration guide](docs/npm-to-binary-migration.md) to switch to the binary version.
 
-   ```shell
-   safe-chain setup
-   ```
+### Unix/Linux/macOS
 
-   To enable Python (pip/pip3/uv) support (beta), use the `--include-python` flag:
+**Default installation (JavaScript packages only):**
 
-   ```shell
-   safe-chain setup --include-python
-   ```
+```shell
+curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh
+```
+
+**Include Python support (pip/pip3/uv):**
+
+```shell
+curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --include-python
+```
+
+### Windows (PowerShell)
+
+**Default installation (JavaScript packages only):**
 
-3. **❗Restart your terminal** to start using the Aikido Safe Chain.
+```powershell
+iex (iwr "https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1" -UseBasicParsing)
+```
+
+**Include Python support (pip/pip3/uv):**
+
+```powershell
+iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -includepython"
+```
+
+### Verify the installation
+
+1. **❗Restart your terminal** to start using the Aikido Safe Chain.
 
    - This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm, pnpx, bun, bunx, and pip/pip3 are loaded correctly. If you do not restart your terminal, the aliases will not be available.
 
-4. **Verify the installation** by running one of the following commands:
+2. **Verify the installation** by running one of the following commands:
 
    For JavaScript/Node.js:
 
@@ -52,7 +73,7 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
    npm install safe-chain-test
    ```
 
-   For Python (beta):
+   For Python (if you enabled Python support):
 
    ```shell
    pip3 install safe-chain-pi-test
@@ -163,21 +184,37 @@ You can protect your CI/CD pipelines from malicious packages by integrating Aiki
 
 For optimal protection in CI/CD environments, we recommend using **npm >= 10.4.0** as it provides full dependency tree scanning. Other package managers currently offer limited scanning of install command arguments only.
 
-## Setup
+## Installation for CI/CD
+
+Use the `--ci` flag to automatically configure Aikido Safe Chain for CI/CD environments. This sets up executable shims in the PATH instead of shell aliases.
+
+### Unix/Linux/macOS (GitHub Actions, Azure Pipelines, etc.)
 
-To use Aikido Safe Chain in CI/CD environments, run the following command after installing the package:
+**JavaScript only:**
 
 ```shell
-safe-chain setup-ci
+curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
 ```
 
-To enable Python (pip/pip3/uv) support (beta) in CI/CD, use the `--include-python` flag:
+**With Python support:**
 
 ```shell
-safe-chain setup-ci --include-python
+curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
 ```
 
-This automatically configures your CI environment to use Aikido Safe Chain for all package manager commands.
+### Windows (Azure Pipelines, etc.)
+
+**JavaScript only:**
+
+```powershell
+iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci"
+```
+
+**With Python support:**
+
+```powershell
+iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci -includepython"
+```
 
 ## Supported Platforms
 
@@ -193,16 +230,15 @@ This automatically configures your CI environment to use Aikido Safe Chain for a
     node-version: "22"
     cache: "npm"
 
-- name: Setup safe-chain
-  run: |
-    npm i -g @aikidosec/safe-chain
-    safe-chain setup-ci
+- name: Install safe-chain
+  run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
 
 - name: Install dependencies
-  run: |
-    npm ci
+  run: npm ci
 ```
 
+> **Note:** Remove `--include-python` if you don't need Python (pip/pip3/uv) support.
+
 ## Azure DevOps Example
 
 ```yaml
@@ -211,14 +247,13 @@ This automatically configures your CI environment to use Aikido Safe Chain for a
     versionSpec: "22.x"
   displayName: "Install Node.js"
 
-- script: |
-    npm i -g @aikidosec/safe-chain
-    safe-chain setup-ci
-  displayName: "Install safe chain"
+- script: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
+  displayName: "Install safe-chain"
 
-- script: |
-    npm ci
-  displayName: "npm install and build"
+- script: npm ci
+  displayName: "Install dependencies"
 ```
 
+> **Note:** Remove `--include-python` if you don't need Python (pip/pip3/uv) support.
+
 After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.

package/bin/aikido-bun.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "bun";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-bunx.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "bunx";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-npm.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "npm";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-npx.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "npx";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-pip.js

@@ -13,6 +13,8 @@ setCurrentPipInvocation(PIP_INVOCATIONS.PIP);
 
 initializePackageManager(PIP_PACKAGE_MANAGER);
 
-// Pass through only user-supplied pip args
-var exitCode = await main(process.argv.slice(2));
-process.exit(exitCode);
+(async () => {
+  // Pass through only user-supplied pip args
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-pip3.js

@@ -14,6 +14,8 @@ setCurrentPipInvocation(PIP_INVOCATIONS.PIP3);
 // Create package manager
 initializePackageManager(PIP_PACKAGE_MANAGER);
 
-// Pass through only user-supplied pip args
-var exitCode = await main(process.argv.slice(2));
-process.exit(exitCode);
+(async () => {
+  // Pass through only user-supplied pip args
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-pnpm.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "pnpm";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-pnpx.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "pnpx";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-python.js

@@ -11,18 +11,20 @@ setEcoSystem(ECOSYSTEM_PY);
 // Strip nodejs and wrapper script from args
 let argv = process.argv.slice(2);
 
-if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
-	setEcoSystem(ECOSYSTEM_PY);
-	setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY_PIP3 : PIP_INVOCATIONS.PY_PIP);
-	initializePackageManager(PIP_PACKAGE_MANAGER);
+(async () => {
+  if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
+    setEcoSystem(ECOSYSTEM_PY);
+    setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY_PIP3 : PIP_INVOCATIONS.PY_PIP);
+    initializePackageManager(PIP_PACKAGE_MANAGER);
 
-  // Strip off the '-m pip' or '-m pip3' from the args
-  argv = argv.slice(2);
+    // Strip off the '-m pip' or '-m pip3' from the args
+    argv = argv.slice(2);
 
-  var exitCode = await main(argv);
-	process.exit(exitCode);
-} else {
-	// Forward to real python binary for non-pip flows
-	const { spawn } = await import('child_process');
-	spawn('python', argv, { stdio: 'inherit' });
-}
+    var exitCode = await main(argv);
+    process.exit(exitCode);
+  } else {
+    // Forward to real python binary for non-pip flows
+    const { spawn } = await import('child_process');
+    spawn('python', argv, { stdio: 'inherit' });
+  }
+})();

package/bin/aikido-python3.js

@@ -11,18 +11,20 @@ setEcoSystem(ECOSYSTEM_PY);
 // Strip nodejs and wrapper script from args
 let argv = process.argv.slice(2);
 
-if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
-	setEcoSystem(ECOSYSTEM_PY);
-	setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY3_PIP3 : PIP_INVOCATIONS.PY3_PIP);
-	initializePackageManager(PIP_PACKAGE_MANAGER);
+(async () => {
+  if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
+    setEcoSystem(ECOSYSTEM_PY);
+    setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY3_PIP3 : PIP_INVOCATIONS.PY3_PIP);
+    initializePackageManager(PIP_PACKAGE_MANAGER);
 
-  // Strip off the '-m pip' or '-m pip3' from the args
-	argv = argv.slice(2);
+    // Strip off the '-m pip' or '-m pip3' from the args
+    argv = argv.slice(2);
 
-  var exitCode = await main(argv);
-	process.exit(exitCode);
-} else {
-	// Forward to real python3 binary for non-pip flows
-	const { spawn } = await import('child_process');
-	spawn('python3', argv, { stdio: 'inherit' });
-}
+    var exitCode = await main(argv);
+    process.exit(exitCode);
+  } else {
+    // Forward to real python3 binary for non-pip flows
+    const { spawn } = await import('child_process');
+    spawn('python3', argv, { stdio: 'inherit' });
+  }
+})();

package/bin/aikido-uv.js

@@ -9,6 +9,8 @@ setEcoSystem(ECOSYSTEM_PY);
 
 initializePackageManager("uv");
 
-// Pass through only user-supplied uv args
-var exitCode = await main(process.argv.slice(2));
-process.exit(exitCode);
+(async () => {
+  // Pass through only user-supplied uv args
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-yarn.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "yarn";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/safe-chain.js

@@ -1,12 +1,37 @@
 #!/usr/bin/env node
 
 import chalk from "chalk";
-import { createRequire } from "module";
 import { ui } from "../src/environment/userInteraction.js";
 import { setup } from "../src/shell-integration/setup.js";
 import { teardown } from "../src/shell-integration/teardown.js";
 import { setupCi } from "../src/shell-integration/setup-ci.js";
 import { initializeCliArguments } from "../src/config/cliArguments.js";
+import { setEcoSystem } from "../src/config/settings.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+import { main } from "../src/main.js";
+import path from "path";
+import { fileURLToPath } from "url";
+import fs from "fs";
+import { knownAikidoTools } from "../src/shell-integration/helpers.js";
+import {
+  PIP_INVOCATIONS,
+  PIP_PACKAGE_MANAGER,
+  setCurrentPipInvocation,
+} from "../src/packagemanager/pip/pipSettings.js";
+
+/** @type {string} */
+// This checks the current file's dirname in a way that's compatible with:
+//  - Modulejs (import.meta.url)
+//  - ES modules (__dirname)
+// This is needed because safe-chain's npm package is built using ES modules,
+// but building the binaries requires commonjs.
+let dirname;
+if (import.meta.url) {
+  const filename = fileURLToPath(import.meta.url);
+  dirname = path.dirname(filename);
+} else {
+  dirname = __dirname;
+}
 
 if (process.argv.length < 3) {
   ui.writeError("No command provided. Please provide a command to execute.");
@@ -19,19 +44,35 @@ initializeCliArguments(process.argv);
 
 const command = process.argv[2];
 
-if (command === "help" || command === "--help" || command === "-h") {
+const tool = knownAikidoTools.find((tool) => tool.tool === command);
+
+if (tool && tool.internalPackageManagerName === PIP_PACKAGE_MANAGER) {
+  (async function () {
+    await executePip(tool);
+  })();
+} else if (tool) {
+  const args = process.argv.slice(3);
+
+  setEcoSystem(tool.ecoSystem);
+  initializePackageManager(tool.internalPackageManagerName);
+
+  (async () => {
+    var exitCode = await main(args);
+    process.exit(exitCode);
+  })();
+} else if (command === "help" || command === "--help" || command === "-h") {
   writeHelp();
   process.exit(0);
-}
-
-if (command === "setup") {
+} else if (command === "setup") {
   setup();
 } else if (command === "teardown") {
   teardown();
 } else if (command === "setup-ci") {
   setupCi();
 } else if (command === "--version" || command === "-v" || command === "-v") {
-  ui.writeInformation(`Current safe-chain version: ${getVersion()}`);
+  (async () => {
+    ui.writeInformation(`Current safe-chain version: ${await getVersion()}`);
+  })();
 } else {
   ui.writeError(`Unknown command: ${command}.`);
   ui.emptyLine();
@@ -87,8 +128,63 @@ function writeHelp() {
   ui.emptyLine();
 }
 
-function getVersion() {
-  const require = createRequire(import.meta.url);
-  const packageJson = require("../package.json");
-  return packageJson.version;
+async function getVersion() {
+  const packageJsonPath = path.join(dirname, "..", "package.json");
+
+  const data = await fs.promises.readFile(packageJsonPath);
+  const json = JSON.parse(data.toString("utf8"));
+
+  if (json && json.version) {
+    return json.version;
+  }
+
+  return "0.0.0";
+}
+
+/**
+ * @param {import("../src/shell-integration/helpers.js").AikidoTool} tool
+ */
+async function executePip(tool) {
+  // Scanners for pip / pip3 / python / python3 use a slightly different approach:
+  //  - They all use the same PIP_PACKAGE_MANAGER internally, but need some setup to be able to do so
+  //     - It needs to set which tool to run (pip / pip3 / python / python3)
+  //     - For python and python3, the -m pip/pip3 args are removed and later added again by the package manager
+  //  - Python / python3 skips safe-chain if not being run with -m pip or -m pip3
+
+  let args = process.argv.slice(3);
+  setEcoSystem(tool.ecoSystem);
+  initializePackageManager(PIP_PACKAGE_MANAGER);
+
+  let shouldSkip = false;
+  if (tool.tool === "pip") {
+    setCurrentPipInvocation(PIP_INVOCATIONS.PIP);
+  } else if (tool.tool === "pip3") {
+    setCurrentPipInvocation(PIP_INVOCATIONS.PIP3);
+  } else if (tool.tool === "python") {
+    if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
+      setCurrentPipInvocation(
+        args[1] === "pip3" ? PIP_INVOCATIONS.PY_PIP3 : PIP_INVOCATIONS.PY_PIP
+      );
+      args = args.slice(2);
+    } else {
+      shouldSkip = true;
+    }
+  } else if (tool.tool === "python3") {
+    if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
+      setCurrentPipInvocation(
+        args[1] === "pip3" ? PIP_INVOCATIONS.PY3_PIP3 : PIP_INVOCATIONS.PY3_PIP
+      );
+      args = args.slice(2);
+    } else {
+      shouldSkip = true;
+    }
+  }
+
+  if (shouldSkip) {
+    const { spawn } = await import("child_process");
+    spawn(tool.tool, args, { stdio: "inherit" });
+  } else {
+    var exitCode = await main(args);
+    process.exit(exitCode);
+  }
 }