npm - @eurekadevsecops/radar - Versions diffs - 1.9.0 → 1.9.1 - Mend

@eurekadevsecops/radar 1.9.0 → 1.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -103,15 +103,25 @@ radar scan -s opengrep,gitleaks,grype -o report.sarif
 ## Supported Scanners
-| Category          | Scanners                                                                                          | Description                                      |
-| ----------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
-| **SAST**          | [Opengrep](https://github.com/opengrep/opengrep)                                                  | Detects insecure code patterns                   |
-| **Secrets**       | [Gitleaks](https://github.com/gitleaks/gitleaks)                                                  | Finds hardcoded credentials                      |
-| **SCA**           | [Grype](https://github.com/anchore/grype), [Dep-Scan](https://github.com/owasp-dep-scan/dep-scan), [Veracode SCA](https://www.veracode.com/products/software-composition-analysis/) | Detects vulnerable package dependencies          |
-| **Container**     | [Grype](https://github.com/anchore/grype)                                                         | Scans Docker, OCI, and Singularity image formats |
 All scanners in Radar are fully containerized for consistency and isolation. When you run a scan, Radar CLI automatically launches the corresponding scanner inside a Docker container. This ensures clean, reproducible results without needing to install each scanner locally. A working Docker Engine is required to run Radar scanners, and the container images for all supported scanners are publicly available on the GitHub Container Registry.
+| By Scanner                                                                        | Categories             | Description |
+| --------------------------------------------------------------------------------- | ---------------------- | ----------- |
+| [Dep-Scan](https://github.com/owasp-dep-scan/dep-scan)                            | **SCA**                | OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization. |
+| [Gitleaks](https://github.com/gitleaks/gitleaks)                                  | **Secrets**            | Gitleaks is a tool for detecting secrets like passwords, API keys, and tokens. |
+| [Grype](https://github.com/anchore/grype)                                         | **SCA**, **Container** | Scans the contents of a container image or filesystem to find known vulnerabilities. Find vulnerabilities for language-specific packages and major operating system packages. Supports Docker, OCI and Singularity image formats. |
+| [Opengrep](https://github.com/opengrep/opengrep)                                  | **SAST**               | Opengrep is an ultra-fast static code analysis engine to find security issues in code. Opengrep supports 30+ languages. |
+| [Veracode SCA](https://www.veracode.com/products/software-composition-analysis/)  | **SCA**                | Effectively identify open-source risks with unmatched precision, ensuring secure and compliant code. Leverages a proprietary database to accurately and promptly detect new vulnerabilities. |
+Scanners grouped by category:
+| By Category       | Description                                      | Scanners                                                                                          |
+| ----------------- | ------------------------------------------------ | ------------------------------------------------------------------------------------------------- |
+| **SAST**          | Detects insecure code patterns                   | [Opengrep](https://github.com/opengrep/opengrep)                                                  |
+| **Secrets**       | Finds hardcoded credentials                      | [Gitleaks](https://github.com/gitleaks/gitleaks)                                                  |
+| **SCA**           | Detects vulnerable package dependencies          | [Veracode SCA](https://www.veracode.com/products/software-composition-analysis/), [Grype](https://github.com/anchore/grype), [Dep-Scan](https://github.com/owasp-dep-scan/dep-scan) |
+| **Container**     | Scans Docker, OCI, and Singularity image formats | [Grype](https://github.com/anchore/grype)                                                         |
 Veracode SCA (formerly SourceClear) scanner requires the SRCCLR_API_TOKEN environment variable. If not present or valid, scanning with Veracode SCA will not work. Read more about it in [Veracode SCA online documentation](https://docs.veracode.com/r/Veracode_SCA_Agent_Environment_Variables#srcclr_api_token).
 ---
@@ -137,6 +147,7 @@ If no target is specified, the current working directory is scanned.
 | `-q, --quiet`      | Suppress stdout logging (except errors).                                                            |
 | `-f, --format`     | Output format for severity display: `security` (high/moderate/low) or `sarif` (error/warning/note). |
 | `-e, --escalate`   | Treat specified lower severities as high (e.g. `--escalate=moderate,low`).                          |
+| `-l, --local`      | Run a local scan (don't upload scan findings to Eureka).                                            |
 **PARAMETERS**
@@ -254,6 +265,8 @@ export EUREKA_PROFILE=<your profile ID>
 radar scan -s opengrep,gitleaks,grype
 ```
+NOTE: To prevent Radar CLI from uploading scan findings even when you have `EUREKA_AGENT_TOKEN` and `EUREKA_PROFILE` set, you can pass the `-l/--local` option on the command line.
 ---
 ## Why Upload Findings to Eureka ASPM?

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.9.0",
+  "version": "1.9.1",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/src/commands/scan.js CHANGED Viewed

@@ -20,6 +20,7 @@ module.exports = {
     { name: 'DEBUG', short: 'd', long: 'debug', type: 'boolean', description: 'log detailed debug info to stdout' },
     { name: 'ESCALATE', short: 'e', long: 'escalate', type: 'string', description: 'severities to treat as high/error' },
     { name: 'FORMAT', short: 'f', long: 'format', type: 'string', description: 'severity format' },
+    { name: 'LOCAL', short: 'l', long: 'local', type: 'boolean', description: 'local scan (no upload of findings to Eureka)' },
     { name: 'OUTPUT', short: 'o', long: 'output', type: 'string', description: 'output SARIF file' },
     { name: 'QUIET', short: 'q', long: 'quiet', type: 'boolean', description: 'suppress stdout logging' },
     { name: 'SCANNERS', short: 's', long: 'scanners', type: 'string', description: 'list of scanners to use' }
@@ -60,6 +61,15 @@ module.exports = {
     'security' severity format. Findings can also be displayed as errors, warnings,
     and notes. This is the 'sarif' severity format.
+    Runs entirely on your machine — by default, Radar CLI doesn’t upload any findings.
+    Your vulnerabilities stay local and private. To upload results to Eureka ASPM,
+    provide your API credentials via two environment variables: 'EUREKA_AGENT_TOKEN'
+    (your API token) and 'EUREKA_PROFILE' (your profile ID). When these are set, Radar CLI
+    automatically uploads results after each scan — letting you view your full scan
+    history and all findings in the Eureka ASPM Dashboard. To prevent Radar CLI from
+    uploading scan findings even when you have 'EUREKA_AGENT_TOKEN' and 'EUREKA_PROFILE'
+    set, you can pass the LOCAL option on the command line.
     Exit codes:
          0 - Clean and successful scan. No errors, warnings, or notes.
          1 - Bad command, arguments, or options. Scan not completed.
@@ -76,6 +86,7 @@ module.exports = {
   examples: [
     '$ radar scan ' + '(scan current working directory)'.grey,
     '$ radar scan . ' + '(scan current working directory)'.grey,
+    '$ radar scan --local ' + '(run a local scan / no uploads to Eureka)'.grey,
     '$ radar scan -d' + '(turn debug mode on)'.grey,
     '$ radar scan --debug' + '(turn debug mode on)'.grey,
     '$ radar scan /my/repo/dir ' + '(scan target directory)'.grey,
@@ -144,9 +155,13 @@ module.exports = {
     if (!categories.length) throw new Error(`CATEGORIES must be one or more of '${availableCategories.join("', '")}', or 'all'`)
     if (!scanners.length) throw new Error('No available scanners selected.')
+    if (!telemetry.enabled || args.LOCAL) {
+      log(`INFO: Running a local scan.\n`)
+    }
     // Send telemetry: scan started.
     let scanID = undefined
-    if (telemetry.enabled) {
+    if (telemetry.enabled && !args.LOCAL) {
       // TODO: Should pass scanID to the server; not read it from the server.
       try {
         const res = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((s) => s.name) })
@@ -169,7 +184,7 @@ module.exports = {
     // Send telemetry: git metadata.
     const metadata = git.metadata(target)
     if (metadata.type === 'error') throw new Error(`${metadata.error.code}: ${metadata.error.details}`)
-    if (telemetry.enabled && scanID) {
+    if (telemetry.enabled && scanID && !args.LOCAL) {
       let res = await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
       if (!res.ok) log(`WARNING: Scan metadata (stage 1) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
       res = await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
@@ -186,7 +201,7 @@ module.exports = {
     catch (error) {
       log(`\n${error}`)
       if (!args.QUIET) log('Scan NOT completed!')
-      if (telemetry.enabled) {
+      if (telemetry.enabled && !args.LOCAL) {
         const res = await telemetry.send(`scans/:scanID/failed`, { scanID })
         if (!res.ok) log(`WARNING: Scan status (not completed) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
       }
@@ -202,14 +217,14 @@ module.exports = {
     if (outfile) fs.writeFileSync(outfile, JSON.stringify(results.sarif, null, 2))
     // Send telemetry: scan results.
-    if (telemetry.enabled && scanID) {
+    if (telemetry.enabled && scanID && !args.LOCAL) {
       const res = await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
       if (!res.ok) log(`WARNING: Scan results telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
     // Analyze scan results: group findings by severity level.
     let summary
-    if (telemetry.enabled && scanID) {
+    if (telemetry.enabled && scanID && !args.LOCAL) {
       const analysis = await telemetry.receiveSensitive(`scans/:scanID/summary`, { scanID })
       if (!analysis?.findingsBySeverity) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
       summary = analysis.findingsBySeverity
@@ -218,7 +233,7 @@ module.exports = {
     }
     // Send telemetry: scan summary.
-    if (telemetry.enabled && scanID) {
+    if (telemetry.enabled && scanID && !args.LOCAL) {
       const res = await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
       if (!res.ok) log(`WARNING: Scan status (completed) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
@@ -228,7 +243,7 @@ module.exports = {
       log()
       SARIF.visualizations.display_findings(summary, args.FORMAT, log)
       if (outfile) log(`Findings exported to ${outfile}`)
-      SARIF.visualizations.display_totals(summary, args.FORMAT, log, telemetry.enabled && scanID)
+      SARIF.visualizations.display_totals(summary, args.FORMAT, log, telemetry.enabled && scanID && !args.LOCAL)
     }
     // Determine the correct exit code.

package/veracode-sca.sarif DELETED Viewed

@@ -1,24 +0,0 @@
-{
-  "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "veracode-sca",
-          "properties": {
-            "officialName": "Veracode SCA (Eureka json2sarif Converter)"
-          },
-          "rules": []
-        }
-      },
-      "results": [],
-      "properties": {
-        "repository": {
-          "type": "git",
-          "url": "https://github.com/EurekaDevSecOps/app.git"
-        }
-      }
-    }
-  ]
-}