@lateos/npm-scan 0.11.6 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/.husky/pre-commit +1 -0
  2. package/README.md +28 -0
  3. package/package.json +9 -1
package/.husky/pre-commit ADDED
@@ -0,0 +1 @@
1
+ npx lint-staged
package/README.md CHANGED
@@ -70,6 +70,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
70
70
  | 🐳 | **Docker + GitHub Action** | Multi-arch images, one-command Compose pipeline, PR scan action |
71
71
  | 🛡️ | **Zero telemetry** | No data leaves your machine. No cloud. No callbacks. |
72
72
  | 💾 | **Local scan history** | SQLite-backed persistence, zero external dependencies |
73
+ | 🪝 | **Pre-commit hook** | Block threats before commit — one-liner install, scans `package-lock.json` changes |
73
74
 
74
75
  ---
75
76
 
@@ -576,6 +577,32 @@ npm-scan report --html > report.html
576
577
  # path: report.html
577
578
  ```
578
579
 
580
+ ### Pre-commit hook
581
+
582
+ Block supply chain threats **before** they reach version control — no CI required.
583
+
584
+ ```bash
585
+ # One-liner install (requires Node 18+, Git)
586
+ npx husky@latest init && npm install && npx husky add .husky/pre-commit "npx lint-staged"
587
+ ```
588
+
589
+ **What it does:** On every `git commit`, lint-staged detects staged changes to `package.json` or `package-lock.json` and runs `npm-scan scan-lockfile --fail-on high`. Commits are blocked if threats are found.
590
+
591
+ ```bash
592
+ $ git commit -m "bump lodash"
593
+ ✔ Preparing lint-staged configuration...
594
+ ✔ Running tasks for staged package*.json files...
595
+ ✔ npm-scan scan-lockfile --fail-on high
596
+ 🔴 ATK-003: Credential exfiltration (DNS lookup to credentialharvest.example.com)
597
+ 🔴 ATK-007: Typosquat detected (lodash@7.7.7)
598
+ ⚠ Exiting with code 1 — threat(s) found
599
+
600
+ npm scan • @lateos/npm-scan v0.11.6
601
+ error: Command failed with exit code 1.
602
+ ```
603
+
604
+ Add `--no-verify` to bypass for emergencies (`git commit -m "emergency fix" --no-verify`).
605
+
579
606
  ### Docker
580
607
 
581
608
  See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--zero-installation) above for pull commands, Compose pipeline, and multi-arch images.
@@ -592,6 +619,7 @@ See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--
592
619
  - Policy-as-code engine (YAML)
593
620
  - Local SQLite scan history
594
621
  - GitHub Action
622
+ - Pre-commit hook (husky + lint-staged)
595
623
  - Docker images + Compose pipeline
596
624
 
597
625
  ### Premium (🔐 license key)
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lateos/npm-scan",
3
- "version": "0.11.6",
3
+ "version": "0.12.0",
4
4
  "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
5
5
  "main": "backend/index.js",
6
6
  "bin": {
@@ -29,9 +29,13 @@
29
29
  "test": "node --test",
30
30
  "test:coverage": "node --experimental-test-coverage --test",
31
31
  "test:verbose": "node --test --test-reporter spec",
32
+ "prepare": "husky",
32
33
  "build": "echo 'Build stub'",
33
34
  "corpus": "node tests/corpus/run.js"
34
35
  },
36
+ "lint-staged": {
37
+ "**/package{,-lock}.json": "node cli/cli.js scan-lockfile --fail-on high"
38
+ },
35
39
  "publishConfig": {
36
40
  "access": "public"
37
41
  },
@@ -43,5 +47,9 @@
43
47
  "pdf-lib": "^1.17.1",
44
48
  "sql.js": "^1.11.0",
45
49
  "tar": "^7.5.15"
50
+ },
51
+ "devDependencies": {
52
+ "husky": "^9.1.7",
53
+ "lint-staged": "^16.4.0"
46
54
  }
47
55
  }