@hungpg/skill-audit 0.1.0 → 0.1.1

package/README.md

@@ -13,37 +13,38 @@ Security auditing CLI for AI agent skills.
 ## Installation
 
 ```bash
-cd skill-audit
-npm install
-npm run build
+npm install -g @hungpg/skill-audit
 ```
 
 ## Usage
 
 ```bash
 # Audit global skills
-npx skill-audit -g
+skill-audit -g
 
 # Audit with verbose output
-npx skill-audit -v
+skill-audit -v
 
 # JSON output for CI
-npx skill-audit --json > audit-results.json
+skill-audit --json > audit-results.json
 
 # Fail if risk score exceeds threshold
-npx skill-audit --threshold 5.0
+skill-audit --threshold 5.0
 
 # Skip dependency scanning (faster)
-npx skill-audit --no-deps
+skill-audit --no-deps
 
 # Filter by agent
-npx skill-audit -a "Claude Code" "Qwen Code"
+skill-audit -a "Claude Code" "Qwen Code"
 
 # Project-level skills only
-npx skill-audit --project
+skill-audit --project
 
 # Lint mode (spec validation only)
-npx skill-audit --mode lint
+skill-audit --mode lint
+
+# Update vulnerability DB manually
+skill-audit --update-db
 ```
 
 ## Options
@@ -115,7 +116,7 @@ Feeds are cached locally with automatic freshness checks:
 
 **False positives**: Review finding at file:line, add inline comment explaining legitimate use
 
-**Stale DB warning**: Run `npx skill-audit --update-db` to refresh KEV/EPSS/OSV feeds
+**Stale DB warning**: Run `skill-audit --update-db` to refresh KEV/EPSS/OSV feeds
 
 **Skill not found**: Verify `SKILL.md` exists in root or `skills/` directory
 

package/dist/intel.js

@@ -228,28 +228,98 @@ export async function queryOSV(ecosystem, packageName) {
     }
 }
 /**
- * Query GHSA via GitHub API
+ * Query GHSA via GitHub GraphQL API
+ *
+ * Note: GHSA integration requires GitHub API authentication.
+ * For now, OSV provides comprehensive coverage for most ecosystems.
+ *
+ * To implement GHSA:
+ * 1. Get GitHub token: https://github.com/settings/tokens
+ * 2. Set GITHUB_TOKEN environment variable
+ * 3. Use GraphQL API with SecurityAdvisory query
+ *
+ * Example:
+ * ```
+ * const token = process.env.GITHUB_TOKEN;
+ * const response = await fetch('https://api.github.com/graphql', {
+ *   method: 'POST',
+ *   headers: {
+ *     'Authorization': `Bearer ${token}`,
+ *     'Content-Type': 'application/json'
+ *   },
+ *   body: JSON.stringify({
+ *     query: `query {
+ *       securityVulnerabilities(first: 100, ecosystem: NPM, package: "packageName") {
+ *         nodes {
+ *           advisory { ghsaId, summary, severity }
+ *         }
+ *       }
+ *     }`
+ *   })
+ * });
+ * ```
  */
 export async function queryGHSA(ecosystem, packageName) {
-    // GHSA API requires authentication for higher rate limits
-    // This is a placeholder - in production, use a GitHub token
-    try {
-        const ghsaEcosystemMap = {
-            'npm': 'npm',
-            'pypi': 'PyPI',
-            'go': 'Go',
-            'cargo': 'Cargo',
-            'rubygems': 'RubyGems',
-            'maven': 'Maven',
-            'nuget': 'NuGet'
-        };
-        const ghsaQuery = encodeURIComponent(`${packageName} repo:github/advisory-database`);
-        // Note: This is a simplified approach - production would use GraphQL API
-        console.log(`GHSA query: ${ecosystem}/${packageName} (API token recommended for production)`);
+    const token = process.env.GITHUB_TOKEN;
+    if (!token) {
+        // GHSA requires authentication - skip silently
+        // OSV provides comprehensive coverage as fallback
         return [];
     }
+    try {
+        const response = await fetchWithRetry('https://api.github.com/graphql', FETCH_TIMEOUT_MS, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${token}`,
+                'Content-Type': 'application/json',
+                'User-Agent': 'skill-audit/0.1.0 (Vulnerability Intelligence Scanner)'
+            },
+            body: JSON.stringify({
+                query: `
+          query GetAdvisories($ecosystem: SecurityAdvisoryEcosystem!, $package: String!) {
+            securityVulnerabilities(first: 100, ecosystem: $ecosystem, package: $package) {
+              nodes {
+                advisory {
+                  ghsaId
+                  summary
+                  severity
+                  publishedAt
+                  identifiers { type, value }
+                }
+                severity
+                vulnerableVersionRange
+              }
+            }
+          }
+        `,
+                variables: {
+                    ecosystem: ecosystem.toUpperCase(),
+                    package: packageName
+                }
+            })
+        });
+        if (!response.ok) {
+            console.error(`GHSA API error: ${response.status}`);
+            return [];
+        }
+        const data = await response.json();
+        if (!data.data?.securityVulnerabilities?.nodes) {
+            return [];
+        }
+        return data.data.securityVulnerabilities.nodes.map(node => ({
+            id: node.advisory?.ghsaId || `GHSA-unknown`,
+            aliases: node.advisory?.identifiers?.map(i => i.value) || [],
+            source: "GHSA",
+            ecosystem,
+            packageName,
+            severity: node.advisory?.severity || node.severity,
+            published: node.advisory?.publishedAt,
+            summary: node.advisory?.summary,
+            references: []
+        }));
+    }
     catch (error) {
-        console.error(`GHSA query failed:`, error);
+        console.error(`GHSA query failed for ${ecosystem}/${packageName}:`, error);
         return [];
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hungpg/skill-audit",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Security auditing CLI for AI agent skills",
   "type": "module",
   "bin": {