npm - @lateos/npm-scan - Versions diffs - 0.11.5 → 0.12.0 - Mend

@lateos/npm-scan 0.11.5 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/.husky/pre-commit ADDED Viewed

	@@ -0,0 +1 @@
1	+ npx lint-staged

package/README.de.md CHANGED Viewed

@@ -373,7 +373,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -401,7 +401,7 @@ jobs:
 #### Beispiel: Bestimmtes Paket mit Policy + SBOM scannen
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -413,7 +413,7 @@ jobs:
 #### Beispiel: Mit SIEM-Export scannen (Premium)
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef
@@ -467,7 +467,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -495,7 +495,7 @@ jobs:
 #### Beispiel: Bestimmtes Paket mit Policy + SBOM scannen
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -507,7 +507,7 @@ jobs:
 #### Beispiel: Mit SIEM-Export scannen (Premium)
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef

package/README.fr.md CHANGED Viewed

@@ -373,7 +373,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -401,7 +401,7 @@ jobs:
 #### Exemple : scanner un paquet spécifique avec politique + SBOM
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -413,7 +413,7 @@ jobs:
 #### Exemple : scanner avec export SIEM (premium)
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef
@@ -467,7 +467,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -495,7 +495,7 @@ jobs:
 #### Exemple : scanner un paquet spécifique avec politique + SBOM
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -507,7 +507,7 @@ jobs:
 #### Exemple : scanner avec export SIEM (premium)
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef

package/README.ja.md CHANGED Viewed

@@ -369,7 +369,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -397,7 +397,7 @@ jobs:
 #### 例：ポリシー＋SBOMで特定パッケージをスキャン
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -409,7 +409,7 @@ jobs:
 #### 例：SIEMエクスポートでスキャン（プレミアム）
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef
@@ -463,7 +463,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -491,7 +491,7 @@ jobs:
 #### 例：ポリシー＋SBOMで特定パッケージをスキャン
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -503,7 +503,7 @@ jobs:
 #### 例：SIEMエクスポートでスキャン（プレミアム）
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef

package/README.md CHANGED Viewed

@@ -70,6 +70,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
 | 🐳 | **Docker + GitHub Action** | Multi-arch images, one-command Compose pipeline, PR scan action |
 | 🛡️ | **Zero telemetry** | No data leaves your machine. No cloud. No callbacks. |
 | 💾 | **Local scan history** | SQLite-backed persistence, zero external dependencies |
+| 🪝 | **Pre-commit hook** | Block threats before commit — one-liner install, scans `package-lock.json` changes |
 ---
@@ -439,7 +440,7 @@ jobs:
 #### Example: scan a specific package with policy + SBOM
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -451,7 +452,7 @@ jobs:
 #### Example: scan with SIEM export (premium)
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef
@@ -505,7 +506,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -533,7 +534,7 @@ jobs:
 #### Example: scan a specific package with policy + SBOM
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -545,7 +546,7 @@ jobs:
 #### Example: scan with SIEM export (premium)
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef
@@ -576,6 +577,32 @@ npm-scan report --html > report.html
 #     path: report.html
 ```
+### Pre-commit hook
+Block supply chain threats **before** they reach version control — no CI required.
+```bash
+# One-liner install (requires Node 18+, Git)
+npx husky@latest init && npm install && npx husky add .husky/pre-commit "npx lint-staged"
+```
+**What it does:** On every `git commit`, lint-staged detects staged changes to `package.json` or `package-lock.json` and runs `npm-scan scan-lockfile --fail-on high`. Commits are blocked if threats are found.
+```bash
+$ git commit -m "bump lodash"
+✔ Preparing lint-staged configuration...
+✔ Running tasks for staged package*.json files...
+✔ npm-scan scan-lockfile --fail-on high
+  🔴 ATK-003: Credential exfiltration (DNS lookup to credentialharvest.example.com)
+  🔴 ATK-007: Typosquat detected (lodash@7.7.7)
+  ⚠ Exiting with code 1 — threat(s) found
+npm scan • @lateos/npm-scan v0.11.6
+error: Command failed with exit code 1.
+```
+Add `--no-verify` to bypass for emergencies (`git commit -m "emergency fix" --no-verify`).
 ### Docker
 See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--zero-installation) above for pull commands, Compose pipeline, and multi-arch images.
@@ -592,6 +619,7 @@ See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--
 - Policy-as-code engine (YAML)
 - Local SQLite scan history
 - GitHub Action
+- Pre-commit hook (husky + lint-staged)
 - Docker images + Compose pipeline
 ### Premium (🔐 license key)

package/README.zh.md CHANGED Viewed

@@ -373,7 +373,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -401,7 +401,7 @@ jobs:
 #### 示例：使用策略 + SBOM 扫描特定包
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -413,7 +413,7 @@ jobs:
 #### 示例：使用 SIEM 导出扫描（高级版）
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef
@@ -467,7 +467,7 @@ jobs:
       with:
         node-version: 20
     - name: Scan lockfile
-      uses: lateos/npm-scan@main
+      uses: lateos/npm-scan@v1
       with:
         scan-type: lockfile
         fail-on: high
@@ -495,7 +495,7 @@ jobs:
 #### 示例：使用策略 + SBOM 扫描特定包
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: package
     package: lodash
@@ -507,7 +507,7 @@ jobs:
 #### 示例：使用 SIEM 导出扫描（高级版）
 ```yaml
-- uses: lateos/npm-scan@main
+- uses: lateos/npm-scan@v1
   with:
     scan-type: lockfile
     siem-format: cef

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.11.5",
+  "version": "0.12.0",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {
@@ -29,9 +29,13 @@
     "test": "node --test",
     "test:coverage": "node --experimental-test-coverage --test",
     "test:verbose": "node --test --test-reporter spec",
+    "prepare": "husky",
     "build": "echo 'Build stub'",
     "corpus": "node tests/corpus/run.js"
   },
+  "lint-staged": {
+    "**/package{,-lock}.json": "node cli/cli.js scan-lockfile --fail-on high"
+  },
   "publishConfig": {
     "access": "public"
   },
@@ -43,5 +47,9 @@
     "pdf-lib": "^1.17.1",
     "sql.js": "^1.11.0",
     "tar": "^7.5.15"
+  },
+  "devDependencies": {
+    "husky": "^9.1.7",
+    "lint-staged": "^16.4.0"
   }
 }