@lateos/npm-scan 0.11.1 → 0.11.3

package/README.de.md

@@ -109,9 +109,9 @@ Kein Node.js. Kein `npm install`. Keine globalen Pakete. Funktioniert auf jedem
 
 ---
 
-## 🛡️ Behörden- & SOC 2 L2-bereit
+## 🛡️ Behörden- & SOC 2-bereit
 
-| Funktion | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+| Funktion | SOC 2-Kontrollen | NIST 800-161 | STIG/FedRAMP-Ausrichtung |
 |----------|-------|--------------|--------------|
 | Audit-Protokolle (--audit-log) | CC6.8 | AU-2 | ✓ |
 | FIPS-Krypto (--fips) | CC6.1 | SC-13 | ✓ |

package/README.fr.md

@@ -109,9 +109,9 @@ Pas de Node.js. Pas de `npm install`. Pas de paquets globaux. Fonctionne sur tou
 
 ---
 
-## 🛡️ Prêt pour le Gouvernement et SOC 2 L2
+## 🛡️ Prêt pour le Gouvernement et SOC 2
 
-| Fonctionnalité | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+| Fonctionnalité | Contrôles SOC 2 | NIST 800-161 | Alignement STIG/FedRAMP |
 |----------------|-------|--------------|--------------|
 | Journaux d'audit (--audit-log) | CC6.8 | AU-2 | ✓ |
 | Crypto FIPS (--fips) | CC6.1 | SC-13 | ✓ |

package/README.ja.md

@@ -109,9 +109,9 @@ Node.js不要。`npm install`不要。グローバルパッケージ不要。Doc
 
 ---
 
-## 🛡️ 政府機関・SOC 2 L2 対応
+## 🛡️ 政府機関・SOC 2 対応
 
-| 機能 | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+| 機能 | SOC 2 コントロール | NIST 800-161 | STIG/FedRAMP アライメント |
 |------|-------|--------------|--------------|
 | 監査ログ (--audit-log) | CC6.8 | AU-2 | ✓ |
 | FIPS暗号化 (--fips) | CC6.1 | SC-13 | ✓ |

package/README.md

@@ -43,6 +43,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
 | Transitive worm propagation (ATK-011) | ❌ | ❌ | ❌ | ✅ |
 | Attack taxonomy (ATK series) | ❌ | ❌ | ❌ | ✅ |
 | SBOM output (CycloneDX + SPDX) | ❌ | ✅ | ❌ | ✅ |
+| SARIF v2.1 (GitHub Code Scanning) | ❌ | ❌ | ❌ | ✅ |
 | NIST 800-161 compliance reporting | ❌ | ❌ | ❌ | ✅ |
 | EU CRA compliance reporting | ❌ | ❌ | ❌ | ✅ |
 | SIEM export (CEF / ECS / Sentinel / QRadar) | ❌ | ❌ | ❌ | ✅ |
@@ -61,6 +62,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
 | 🧠 | **Behavioral detection** | Identifies conditional triggers (time-based, CI-aware), sandbox evasion, and dormant activation patterns |
 | 🧬 | **ATK attack taxonomy** | 11 classified attack types with NIST 800-161 mappings — versioned, documented, and PR-able |
 | 📦 | **SBOM generation** | CycloneDX 1.5 and SPDX 2.3 with findings embedded as vulnerabilities |
+| 🔍 | **SARIF output** | GitHub Advanced Security / CodeQL compatible SARIF v2.1 — shows findings directly in Security tab |
 | 🧾 | **Compliance reporting** | NIST SP 800-161 traceability matrix + EU Cyber Resilience Act mapping (free tier) |
 | 🔌 | **SIEM export** | Splunk CEF, Elastic ECS, Microsoft Sentinel, IBM QRadar formats (premium) |
 | 📜 | **Policy-as-code** | YAML/JSON policy engine with allowlists, severity overrides, suppressions, and fail-on thresholds |
@@ -108,9 +110,9 @@ No Node.js. No `npm install`. No global packages. Works on any system with Docke
 
 ---
 
-## 🛡️ Government & SOC 2 L2 Ready
+## 🛡️ Government & SOC 2 Ready
 
-| Feature | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+| Feature | SOC 2 Controls | NIST 800-161 | STIG/FedRAMP Alignment |
 |---------|-------|--------------|--------------|
 | Audit logs (--audit-log) | CC6.8 | AU-2 | ✓ |
 | FIPS crypto (--fips) | CC6.1 | SC-13 | ✓ |
@@ -125,8 +127,8 @@ npm-scan scan-lockfile --cache-dir /offline/cache --audit-log /var/log/npm-scan.
 npm-scan report --stig
 ```
 
-[![SOC 2 L2](https://img.shields.io/badge/SOC%202-L2-green?style=flat-square&logo=aicpa)](https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html)
-[![FedRAMP](https://img.shields.io/badge/FedRAMP-Moderate-blue?style=flat-square)](https://fedramp.gov/)
+[![SOC 2 Ready](https://img.shields.io/badge/SOC%202-Ready-green?style=flat-square&logo=aicpa)](https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html#soc2)
+[![FedRAMP Aligned](https://img.shields.io/badge/FedRAMP-Aligned-blue?style=flat-square&logo=fedramp)](https://fedramp.gov/baselines/)
 
 ---
 
@@ -389,7 +391,7 @@ jobs:
 
 ### GitHub Action (for downstream users)
 
-Scan your project's `package-lock.json` on every PR — detects typosquats, obfuscated payloads, credential harvesters, and worm propagation before they reach production:
+Scan your project's `package-lock.json` on every PR — detects typosquats, obfuscated payloads, credential harvesters, and worm propagation before they reach production. **SARIF output shows findings directly in GitHub's Security tab (Code Scanning).**
 
 ```yaml
 # .github/workflows/scan.yml
@@ -404,14 +406,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 20
-    - name: Scan lockfile
-      uses: lateos/npm-scan@main
+    - uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
+        sarif: results.sarif
         fail-on: high
+    - name: Upload SARIF to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif
 ```
 
 #### Action inputs

package/README.zh.md

@@ -109,9 +109,9 @@ docker compose --profile pipeline up -d
 
 ---
 
-## 🛡️ 政府与 SOC 2 L2 就绪
+## 🛡️ 政府与 SOC 2 就绪
 
-| 功能 | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+| 功能 | SOC 2 控制 | NIST 800-161 | STIG/FedRAMP 对齐 |
 |------|-------|--------------|--------------|
 | 审计日志 (--audit-log) | CC6.8 | AU-2 | ✓ |
 | FIPS 加密 (--fips) | CC6.1 | SC-13 | ✓ |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.11.1",
+  "version": "0.11.3",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {