@eurekadevsecops/radar 1.9.0 → 1.9.2

package/README.md

@@ -103,15 +103,25 @@ radar scan -s opengrep,gitleaks,grype -o report.sarif
 
 ## Supported Scanners
 
-| Category          | Scanners                                                                                          | Description                                      |
-| ----------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
-| **SAST**          | [Opengrep](https://github.com/opengrep/opengrep)                                                  | Detects insecure code patterns                   |
-| **Secrets**       | [Gitleaks](https://github.com/gitleaks/gitleaks)                                                  | Finds hardcoded credentials                      |
-| **SCA**           | [Grype](https://github.com/anchore/grype), [Dep-Scan](https://github.com/owasp-dep-scan/dep-scan), [Veracode SCA](https://www.veracode.com/products/software-composition-analysis/) | Detects vulnerable package dependencies          |
-| **Container**     | [Grype](https://github.com/anchore/grype)                                                         | Scans Docker, OCI, and Singularity image formats |
-
 All scanners in Radar are fully containerized for consistency and isolation. When you run a scan, Radar CLI automatically launches the corresponding scanner inside a Docker container. This ensures clean, reproducible results without needing to install each scanner locally. A working Docker Engine is required to run Radar scanners, and the container images for all supported scanners are publicly available on the GitHub Container Registry.
 
+| By Scanner                                                                        | Categories             | Description |
+| --------------------------------------------------------------------------------- | ---------------------- | ----------- |
+| [Dep-Scan](https://github.com/owasp-dep-scan/dep-scan)                            | **SCA**                | OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization. |
+| [Gitleaks](https://github.com/gitleaks/gitleaks)                                  | **Secrets**            | Gitleaks is a tool for detecting secrets like passwords, API keys, and tokens. |
+| [Grype](https://github.com/anchore/grype)                                         | **SCA**, **Container** | Scans the contents of a container image or filesystem to find known vulnerabilities. Find vulnerabilities for language-specific packages and major operating system packages. Supports Docker, OCI and Singularity image formats. |
+| [Opengrep](https://github.com/opengrep/opengrep)                                  | **SAST**               | Opengrep is an ultra-fast static code analysis engine to find security issues in code. Opengrep supports 30+ languages. |
+| [Veracode SCA](https://www.veracode.com/products/software-composition-analysis/)  | **SCA**                | Effectively identify open-source risks with unmatched precision, ensuring secure and compliant code. Leverages a proprietary database to accurately and promptly detect new vulnerabilities. |
+
+Scanners grouped by category:
+
+| By Category       | Description                                      | Scanners                                                                                          |
+| ----------------- | ------------------------------------------------ | ------------------------------------------------------------------------------------------------- |
+| **SAST**          | Detects insecure code patterns                   | [Opengrep](https://github.com/opengrep/opengrep)                                                  |
+| **Secrets**       | Finds hardcoded credentials                      | [Gitleaks](https://github.com/gitleaks/gitleaks)                                                  |
+| **SCA**           | Detects vulnerable package dependencies          | [Veracode SCA](https://www.veracode.com/products/software-composition-analysis/), [Grype](https://github.com/anchore/grype), [Dep-Scan](https://github.com/owasp-dep-scan/dep-scan) |
+| **Container**     | Scans Docker, OCI, and Singularity image formats | [Grype](https://github.com/anchore/grype)                                                         |
+
 Veracode SCA (formerly SourceClear) scanner requires the SRCCLR_API_TOKEN environment variable. If not present or valid, scanning with Veracode SCA will not work. Read more about it in [Veracode SCA online documentation](https://docs.veracode.com/r/Veracode_SCA_Agent_Environment_Variables#srcclr_api_token).
 
 ---
@@ -137,6 +147,7 @@ If no target is specified, the current working directory is scanned.
 | `-q, --quiet`      | Suppress stdout logging (except errors).                                                            |
 | `-f, --format`     | Output format for severity display: `security` (high/moderate/low) or `sarif` (error/warning/note). |
 | `-e, --escalate`   | Treat specified lower severities as high (e.g. `--escalate=moderate,low`).                          |
+| `-l, --local`      | Run a local scan (don't upload scan findings to Eureka).                                            |
 
 **PARAMETERS**
 
@@ -254,6 +265,8 @@ export EUREKA_PROFILE=<your profile ID>
 radar scan -s opengrep,gitleaks,grype
 ```
 
+NOTE: To prevent Radar CLI from uploading scan findings even when you have `EUREKA_AGENT_TOKEN` and `EUREKA_PROFILE` set, you can pass the `-l/--local` option on the command line.
+
 ---
 
 ## Why Upload Findings to Eureka ASPM?

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/src/commands/scan.js

@@ -20,6 +20,7 @@ module.exports = {
     { name: 'DEBUG', short: 'd', long: 'debug', type: 'boolean', description: 'log detailed debug info to stdout' },
     { name: 'ESCALATE', short: 'e', long: 'escalate', type: 'string', description: 'severities to treat as high/error' },
     { name: 'FORMAT', short: 'f', long: 'format', type: 'string', description: 'severity format' },
+    { name: 'LOCAL', short: 'l', long: 'local', type: 'boolean', description: 'local scan (no upload of findings to Eureka)' },
     { name: 'OUTPUT', short: 'o', long: 'output', type: 'string', description: 'output SARIF file' },
     { name: 'QUIET', short: 'q', long: 'quiet', type: 'boolean', description: 'suppress stdout logging' },
     { name: 'SCANNERS', short: 's', long: 'scanners', type: 'string', description: 'list of scanners to use' }
@@ -60,6 +61,15 @@ module.exports = {
     'security' severity format. Findings can also be displayed as errors, warnings,
     and notes. This is the 'sarif' severity format.
 
+    Runs entirely on your machine — by default, Radar CLI doesn’t upload any findings.
+    Your vulnerabilities stay local and private. To upload results to Eureka ASPM,
+    provide your API credentials via two environment variables: 'EUREKA_AGENT_TOKEN'
+    (your API token) and 'EUREKA_PROFILE' (your profile ID). When these are set, Radar CLI
+    automatically uploads results after each scan — letting you view your full scan 
+    history and all findings in the Eureka ASPM Dashboard. To prevent Radar CLI from
+    uploading scan findings even when you have 'EUREKA_AGENT_TOKEN' and 'EUREKA_PROFILE'
+    set, you can pass the LOCAL option on the command line.
+
     Exit codes:
          0 - Clean and successful scan. No errors, warnings, or notes.
          1 - Bad command, arguments, or options. Scan not completed.
@@ -76,6 +86,7 @@ module.exports = {
   examples: [
     '$ radar scan ' + '(scan current working directory)'.grey,
     '$ radar scan . ' + '(scan current working directory)'.grey,
+    '$ radar scan --local ' + '(run a local scan / no uploads to Eureka)'.grey,
     '$ radar scan -d' + '(turn debug mode on)'.grey,
     '$ radar scan --debug' + '(turn debug mode on)'.grey,
     '$ radar scan /my/repo/dir ' + '(scan target directory)'.grey,
@@ -144,9 +155,13 @@ module.exports = {
     if (!categories.length) throw new Error(`CATEGORIES must be one or more of '${availableCategories.join("', '")}', or 'all'`)
     if (!scanners.length) throw new Error('No available scanners selected.')
 
+    if (!telemetry.enabled || args.LOCAL) {
+      log(`INFO: Running a local scan.\n`)
+    }
+
     // Send telemetry: scan started.
     let scanID = undefined
-    if (telemetry.enabled) {
+    if (telemetry.enabled && !args.LOCAL) {
       // TODO: Should pass scanID to the server; not read it from the server.
       try {
         const res = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((s) => s.name) })
@@ -169,7 +184,7 @@ module.exports = {
     // Send telemetry: git metadata.
     const metadata = git.metadata(target)
     if (metadata.type === 'error') throw new Error(`${metadata.error.code}: ${metadata.error.details}`)
-    if (telemetry.enabled && scanID) {
+    if (telemetry.enabled && scanID && !args.LOCAL) {
       let res = await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
       if (!res.ok) log(`WARNING: Scan metadata (stage 1) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
       res = await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
@@ -186,7 +201,7 @@ module.exports = {
     catch (error) {
       log(`\n${error}`)
       if (!args.QUIET) log('Scan NOT completed!')
-      if (telemetry.enabled) {
+      if (telemetry.enabled && scanID && !args.LOCAL) {
         const res = await telemetry.send(`scans/:scanID/failed`, { scanID })
         if (!res.ok) log(`WARNING: Scan status (not completed) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
       }
@@ -202,14 +217,14 @@ module.exports = {
     if (outfile) fs.writeFileSync(outfile, JSON.stringify(results.sarif, null, 2))
 
     // Send telemetry: scan results.
-    if (telemetry.enabled && scanID) {
+    if (telemetry.enabled && scanID && !args.LOCAL) {
       const res = await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
       if (!res.ok) log(`WARNING: Scan results telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
 
     // Analyze scan results: group findings by severity level.
     let summary
-    if (telemetry.enabled && scanID) {
+    if (telemetry.enabled && scanID && !args.LOCAL) {
       const analysis = await telemetry.receiveSensitive(`scans/:scanID/summary`, { scanID })
       if (!analysis?.findingsBySeverity) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
       summary = analysis.findingsBySeverity
@@ -218,7 +233,7 @@ module.exports = {
     }
 
     // Send telemetry: scan summary.
-    if (telemetry.enabled && scanID) {
+    if (telemetry.enabled && scanID && !args.LOCAL) {
       const res = await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
       if (!res.ok) log(`WARNING: Scan status (completed) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
@@ -228,7 +243,7 @@ module.exports = {
       log()
       SARIF.visualizations.display_findings(summary, args.FORMAT, log)
       if (outfile) log(`Findings exported to ${outfile}`)
-      SARIF.visualizations.display_totals(summary, args.FORMAT, log, telemetry.enabled && scanID)
+      SARIF.visualizations.display_totals(summary, args.FORMAT, log, telemetry.enabled && scanID && !args.LOCAL)
     }
 
     // Determine the correct exit code.

package/veracode-sca.sarif

@@ -1,24 +0,0 @@
-{
-  "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "veracode-sca",
-          "properties": {
-            "officialName": "Veracode SCA (Eureka json2sarif Converter)"
-          },
-          "rules": []
-        }
-      },
-      "results": [],
-      "properties": {
-        "repository": {
-          "type": "git",
-          "url": "https://github.com/EurekaDevSecOps/app.git"
-        }
-      }
-    }
-  ]
-}