@lateos/npm-scan 0.11.1 → 0.11.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -6
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -43,6 +43,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
|
|
|
43
43
|
| Transitive worm propagation (ATK-011) | ❌ | ❌ | ❌ | ✅ |
|
|
44
44
|
| Attack taxonomy (ATK series) | ❌ | ❌ | ❌ | ✅ |
|
|
45
45
|
| SBOM output (CycloneDX + SPDX) | ❌ | ✅ | ❌ | ✅ |
|
|
46
|
+
| SARIF v2.1 (GitHub Code Scanning) | ❌ | ❌ | ❌ | ✅ |
|
|
46
47
|
| NIST 800-161 compliance reporting | ❌ | ❌ | ❌ | ✅ |
|
|
47
48
|
| EU CRA compliance reporting | ❌ | ❌ | ❌ | ✅ |
|
|
48
49
|
| SIEM export (CEF / ECS / Sentinel / QRadar) | ❌ | ❌ | ❌ | ✅ |
|
|
@@ -61,6 +62,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
|
|
|
61
62
|
| 🧠 | **Behavioral detection** | Identifies conditional triggers (time-based, CI-aware), sandbox evasion, and dormant activation patterns |
|
|
62
63
|
| 🧬 | **ATK attack taxonomy** | 11 classified attack types with NIST 800-161 mappings — versioned, documented, and PR-able |
|
|
63
64
|
| 📦 | **SBOM generation** | CycloneDX 1.5 and SPDX 2.3 with findings embedded as vulnerabilities |
|
|
65
|
+
| 🔍 | **SARIF output** | GitHub Advanced Security / CodeQL compatible SARIF v2.1 — shows findings directly in Security tab |
|
|
64
66
|
| 🧾 | **Compliance reporting** | NIST SP 800-161 traceability matrix + EU Cyber Resilience Act mapping (free tier) |
|
|
65
67
|
| 🔌 | **SIEM export** | Splunk CEF, Elastic ECS, Microsoft Sentinel, IBM QRadar formats (premium) |
|
|
66
68
|
| 📜 | **Policy-as-code** | YAML/JSON policy engine with allowlists, severity overrides, suppressions, and fail-on thresholds |
|
|
@@ -389,7 +391,7 @@ jobs:
|
|
|
389
391
|
|
|
390
392
|
### GitHub Action (for downstream users)
|
|
391
393
|
|
|
392
|
-
Scan your project's `package-lock.json` on every PR — detects typosquats, obfuscated payloads, credential harvesters, and worm propagation before they reach production
|
|
394
|
+
Scan your project's `package-lock.json` on every PR — detects typosquats, obfuscated payloads, credential harvesters, and worm propagation before they reach production. **SARIF output shows findings directly in GitHub's Security tab (Code Scanning).**
|
|
393
395
|
|
|
394
396
|
```yaml
|
|
395
397
|
# .github/workflows/scan.yml
|
|
@@ -404,14 +406,15 @@ jobs:
|
|
|
404
406
|
runs-on: ubuntu-latest
|
|
405
407
|
steps:
|
|
406
408
|
- uses: actions/checkout@v4
|
|
407
|
-
- uses:
|
|
408
|
-
with:
|
|
409
|
-
node-version: 20
|
|
410
|
-
- name: Scan lockfile
|
|
411
|
-
uses: lateos/npm-scan@main
|
|
409
|
+
- uses: lateos/npm-scan@v1
|
|
412
410
|
with:
|
|
413
411
|
scan-type: lockfile
|
|
412
|
+
sarif: results.sarif
|
|
414
413
|
fail-on: high
|
|
414
|
+
- name: Upload SARIF to Security tab
|
|
415
|
+
uses: github/codeql-action/upload-sarif@v3
|
|
416
|
+
with:
|
|
417
|
+
sarif_file: results.sarif
|
|
415
418
|
```
|
|
416
419
|
|
|
417
420
|
#### Action inputs
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@lateos/npm-scan",
|
|
3
|
-
"version": "0.11.
|
|
3
|
+
"version": "0.11.2",
|
|
4
4
|
"description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
|
|
5
5
|
"main": "backend/index.js",
|
|
6
6
|
"bin": {
|