npm - @eurekadevsecops/radar - Versions diffs - 1.8.4 → 1.9.0 - Mend

@eurekadevsecops/radar 1.8.4 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/.github/workflows/radar.yaml +3 -3
package/README.md +280 -26
package/assets/radar.png +0 -0
package/assets/radar.psd +0 -0
package/azure-pipelines.yml +27 -0
package/package.json +1 -1
package/scanners/veracode-sca/about.toml +5 -0
package/scanners/veracode-sca/run.sh +21 -0
package/veracode-sca.sarif +24 -0

package/.github/workflows/radar.yaml CHANGED Viewed

@@ -1,4 +1,4 @@
-name: Eureka Radar
+name: Radar CLI
 on:
   workflow_dispatch:
@@ -8,9 +8,9 @@ on:
       - main
 jobs:
-  radar_scan:
+  scan:
     # Radar scanner repo: https://github.com/EurekaDevSecOps/radarctl
-    name: Radar Scan
+    name: Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo

package/README.md CHANGED Viewed

@@ -1,64 +1,318 @@
-<pre>
-               _
- _ __ __ _  __| | __ _ _ __
-| '__/ _` |/ _` |/ _` | '__|
-| | | (_| | (_| | (_| | |
-|_|  \__,_|\__,_|\__,_|_|
-</pre>
+<div align="center" style="text-align:center;">
-# Introduction
+<p align="center">
+  <img src="assets/radar.png" alt="Eureka Radar Logo" width="320"/>
+</p>
-radarctl is a command-line interface for Radar, an open-source orchestrator of security scanners. Radar is part of the Eureka DevSecOps platform.
+# Radar CLI
+### One command. Complete AppSec coverage.
+<!-- ![Build](https://github.com/eurekadevsecops/radarctl/actions/workflows/test.yml/badge.svg) -->
+![Node](https://img.shields.io/badge/Node.js-22.x-blue?logo=node.js)
+![npm version](https://img.shields.io/npm/v/@eurekadevsecops/radar?color=2b82f6&label=NPM)
+![License](https://img.shields.io/github/license/eurekadevsecops/radarctl?color=green)
+</div>
+---
+## Overview
+**Radar CLI** is a command-line tool that orchestrates multiple application security scanners — for code, dependencies, containers, and secrets — in one unified package. We've put a lot of effort into making Radar CLI easy to use for developers and easy to integrate into CI/CD pipelines. Check out our accompanying [GitHub Action for Radar CLI](https://github.com/EurekaDevSecOps/scan-action).
+With Radar CLI, you can:
+- Run **SAST**, **SCA**, **container**, and **secret scanning** locally or in CI/CD pipelines.
+- Generate **unified SARIF reports** compatible with industry-standard security and vulnerability analysis tools.
+- Optionally upload results to **Eureka ASPM** for centralized tracking, deduplication, and prioritization.
+---
+Telemetry is **off by default** — nothing is uploaded unless you explicitly enable it.
+---
 ## Requirements
-- Node.js version 22.17.0 or higher
-- Docker
+- **Node.js** 22.17.0 or higher
+- **Docker** (for containerized scanners)
+---
 ## Installation
-Install the Radar CLI on the command-line using [NPM](https://npmjs.com):
+Install globally using **npm**:
 ```bash
 npm i -g @eurekadevsecops/radar
+````
+Verify the installation:
+```bash
+radar --version
 ```
+---
 ## Getting Started
-Run the Radar CLI:
+Run the CLI to view available commands:
 ```bash
 radar
 ```
-You will get a list of available commands:
-```bash
-COMMANDS
-  help      display help
-  scan      scan for vulnerabilities
-  scanners  display available scanners
+Example output:
+```
+COMMANDS
+  help      display help
+  scan      scan for vulnerabilities
+  scanners  display available scanners
 ```
-View help page for each command by using `help` on the command-line:
+You can view help for any command:
 ```bash
-radar help
+radar help scan
 ```
+---
 ## Running a Scan
-Run a scan on the source code in the current working directory:
+To scan the current working directory:
 ```bash
 radar scan
 ```
-Refer to help for the `scan` command for more information.
+You can also specify scanners to use:
 ```bash
-radar help scan
+radar scan -s opengrep,gitleaks,grype
+```
+Output a SARIF report:
+```bash
+radar scan -s opengrep,gitleaks,grype -o report.sarif
+```
+---
+## Supported Scanners
+| Category          | Scanners                                                                                          | Description                                      |
+| ----------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
+| **SAST**          | [Opengrep](https://github.com/opengrep/opengrep)                                                  | Detects insecure code patterns                   |
+| **Secrets**       | [Gitleaks](https://github.com/gitleaks/gitleaks)                                                  | Finds hardcoded credentials                      |
+| **SCA**           | [Grype](https://github.com/anchore/grype), [Dep-Scan](https://github.com/owasp-dep-scan/dep-scan), [Veracode SCA](https://www.veracode.com/products/software-composition-analysis/) | Detects vulnerable package dependencies          |
+| **Container**     | [Grype](https://github.com/anchore/grype)                                                         | Scans Docker, OCI, and Singularity image formats |
+All scanners in Radar are fully containerized for consistency and isolation. When you run a scan, Radar CLI automatically launches the corresponding scanner inside a Docker container. This ensures clean, reproducible results without needing to install each scanner locally. A working Docker Engine is required to run Radar scanners, and the container images for all supported scanners are publicly available on the GitHub Container Registry.
+Veracode SCA (formerly SourceClear) scanner requires the SRCCLR_API_TOKEN environment variable. If not present or valid, scanning with Veracode SCA will not work. Read more about it in [Veracode SCA online documentation](https://docs.veracode.com/r/Veracode_SCA_Agent_Environment_Variables#srcclr_api_token).
+---
+### More on the `radar scan` command
+```bash
+USAGE
+  radar scan [OPTIONS] [TARGET]
+```
+Scans your source code and dependencies for vulnerabilities.
+If no target is specified, the current working directory is scanned.
+**OPTIONS**
+| Option             | Description                                                                                         |
+| ------------------ | --------------------------------------------------------------------------------------------------- |
+| `-c, --categories` | List of scanner categories (e.g. `sast`, `sca`, `secrets`).                                         |
+| `-s, --scanners`   | Comma-separated list of scanners to run. Use `radar scanners` to list available ones.               |
+| `-o, --output`     | Output findings into a SARIF file.                                                                  |
+| `-d, --debug`      | Log detailed debug info to stdout.                                                                  |
+| `-q, --quiet`      | Suppress stdout logging (except errors).                                                            |
+| `-f, --format`     | Output format for severity display: `security` (high/moderate/low) or `sarif` (error/warning/note). |
+| `-e, --escalate`   | Treat specified lower severities as high (e.g. `--escalate=moderate,low`).                          |
+**PARAMETERS**
+| Parameter | Description                                             |
+| --------- | ------------------------------------------------------- |
+| `TARGET`  | (Optional) Path to scan. Defaults to current directory. |
+#### Category and Scanner Selection
+* `--categories` lets you run all scanners in one or more categories.
+  Example: `--categories=sca,sast`
+* `--scanners` lets you choose specific scanners by name.
+  Example: `--scanners=opengrep,depscan`
+* Both can be combined — Radar CLI will run scanners that match *both* filters.
+#### Severity Formats
+| Format     | Example Severities     |
+| ---------- | ---------------------- |
+| `security` | high / moderate / low  |
+| `sarif`    | error / warning / note |
+You can also **escalate severities**:
+```bash
+# Treat moderates and lows as highs
+radar scan -e moderate,low
+```
+Or:
+```bash
+# Treat warnings and notes as errors
+radar scan -f sarif -e warning,note
 ```
-## Contributing guide
+#### Exit Codes
+An exit code of `0` means the scan passed with no issues. Any other code means the scan failed — either due to new vulnerabilities found or an error during the scanning process.
+| Code    | Meaning                                 |
+| ------- | --------------------------------------- |
+| `0`     | Clean and successful scan.              |
+| `1`     | Invalid command, arguments, or options. |
+| `8–15`  | New vulnerabilities found.              |
+| `>=16`  | Aborted due to unexpected error.        |
+#### Examples
+Scan current directory:
+```bash
+radar scan
+```
+Scan a specific path:
+```bash
+radar scan /my/repo/dir
+```
+Save findings into a SARIF file:
+```bash
+radar scan -o report.sarif
+```
+Run only dependency and code scanners:
+```bash
+radar scan -c sca,sast
+```
+Run specific scanners:
+```bash
+radar scan -s depscan,opengrep
+```
+Enable debug logs:
+```bash
+radar scan --debug
+```
+Quiet mode (errors only):
+```bash
+radar scan --quiet
+```
+Display findings in SARIF-style severities:
+```bash
+radar scan -f sarif
+```
+Treat moderates and lows as highs:
+```bash
+radar scan -e moderate,low
+```
+---
+## Example Workflows
+### Local Scan (no uploads)
+Runs entirely on your machine — by default, Radar CLI doesn’t upload any findings. Your vulnerabilities stay local and private.
+```bash
+radar scan -s opengrep,gitleaks,grype -o report.sarif
+```
+### Upload Findings to Eureka ASPM
+See all findings in one place with deduplication, trend tracking, and risk prioritization. To upload results to **Eureka ASPM**, provide your API credentials via two environment variables: `EUREKA_AGENT_TOKEN` (your API token) and `EUREKA_PROFILE` (your profile ID). When these are set, Radar CLI automatically uploads results after each scan — letting you view your full scan history and all findings in the **Eureka ASPM Dashboard**.
+```bash
+export EUREKA_AGENT_TOKEN=<your token>
+export EUREKA_PROFILE=<your profile ID>
+radar scan -s opengrep,gitleaks,grype
+```
+---
+## Why Upload Findings to Eureka ASPM?
+**Eureka ASPM** extends Radar CLI with powerful visibility and collaboration features:
+* **Single Source of Truth:** Aggregate findings from all scanners and repos in one place.
+* **Less Noise, More Signal:** Automatically de-duplicate findings and prioritize risks contextually.
+* **Faster Fixes:** See ownership, severity, and remediation guidance for each issue.
+* **Track Progress:** View how your project’s security posture improves over time.
+* **Free for Open Source:** Open source projects get full access at no cost.
+**Sign up for a free account at [eurekadevsecops.com](https://eurekadevsecops.com)**
+---
+## Telemetry & Privacy
+Telemetry is **off by default**.
+Radar does **not** send any data externally unless you explicitly provide:
+* `EUREKA_AGENT_TOKEN`
+* `EUREKA_PROFILE`
+When provided:
+* Findings are securely uploaded to **Eureka ASPM**
+* You gain **dashboards, trend analysis, and contextual prioritization**
+When omitted:
+* Scans remain **fully local**
+---
+## 🧰 Troubleshooting
+| Issue                                         | Cause                               | Solution                                                  |
+| --------------------------------------------- | ----------------------------------- | --------------------------------------------------------- |
+| ❌ `report.sarif` not found                   | Scan failed or invalid scanner list | Check scanner names and ensure Docker is running          |
+| ⚠️ No findings uploaded                       | Missing or invalid token/profile    | Set `EUREKA_AGENT_TOKEN` and `EUREKA_PROFILE`             |
+| 🧱 `radar: command not found`                 | CLI not installed globally          | Run `npm i -g @eurekadevsecops/radar` again               |
+---
+## Contributing
+Contributions are welcome!
+See our [CONTRIBUTING.md](./CONTRIBUTING.md) for setup and development guidelines.
+---
+## License
+Radar CLI is licensed under the terms of the **GPL v3 License** — © Eureka DevSecOps Inc.
+---
+## Support
-See [CONTRIBUTING.md](./CONTRIBUTING.md)
+* Issues & feature requests: [GitHub Issues](https://github.com/eurekadevsecops/radarctl/issues)
+* Security: [security@eurekadevsecops.com](mailto:security@eurekadevsecops.com)

package/assets/radar.png ADDED Viewed

Binary file

package/assets/radar.psd ADDED Viewed

Binary file

package/azure-pipelines.yml ADDED Viewed

@@ -0,0 +1,27 @@
+# Run Radar CLI scan via Azure Pipelines
+trigger:
+- main
+pool:
+  vmImage: ubuntu-latest
+steps:
+- task: NodeTool@0
+  inputs:
+    versionSpec: '22.x'
+  displayName: 'Install Node.js'
+- script: npm i -g @eurekadevsecops/radar
+  displayName: Install Radar CLI
+- script: radar && radar scanners
+  displayName: Verify Radar install
+- script: radar scan -s gitleaks,grype,opengrep,veracode-sca
+  displayName: Run Radar scan
+  env:
+    EUREKA_AGENT_TOKEN: $(EUREKA_AGENT_TOKEN)
+    SRCCLR_API_TOKEN: $(SRCCLR_API_TOKEN)
+    VERACODE_API_KEY_ID: $(VERACODE_API_KEY_ID)
+    VERACODE_API_KEY_SECRET: $(VERACODE_API_KEY_SECRET)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.8.4",
+  "version": "1.9.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/scanners/veracode-sca/about.toml ADDED Viewed

@@ -0,0 +1,5 @@
+name = "veracode-sca"
+title = "Veracode SCA"
+description = "Finds known vulnerabilities in dependencies. Requires SRCCLR_API_TOKEN."
+categories = [ "SCA" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/veracode-sca/run.sh ADDED Viewed

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+# Parameters:
+# $1 - Path to the source code folder that should be scanned
+# $2 - Path to the assets folder
+# $3 - Path to the output folder where scan results should be stored
+###
+# Expand relative paths
+APP_DIR=$(cd $1; pwd)
+CFG_DIR=$(cd $2; pwd)
+OUT_DIR=$(cd $3; pwd)
+docker run --rm \
+    -v "${APP_DIR}":/home/luser/app \
+    -v "${CFG_DIR}":/tmp/radar-input \
+    -v "${OUT_DIR}":/tmp/radar-output \
+    -e SRCCLR_API_TOKEN=${SRCCLR_API_TOKEN} \
+    ghcr.io/eurekadevsecops/radar-veracode-sca 2>&1

package/veracode-sca.sarif ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "veracode-sca",
+          "properties": {
+            "officialName": "Veracode SCA (Eureka json2sarif Converter)"
+          },
+          "rules": []
+        }
+      },
+      "results": [],
+      "properties": {
+        "repository": {
+          "type": "git",
+          "url": "https://github.com/EurekaDevSecOps/app.git"
+        }
+      }
+    }
+  ]
+}