@lateos/npm-scan 0.11.6 → 0.12.1

package/.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

package/README.md

@@ -70,6 +70,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
 | 🐳 | **Docker + GitHub Action** | Multi-arch images, one-command Compose pipeline, PR scan action |
 | 🛡️ | **Zero telemetry** | No data leaves your machine. No cloud. No callbacks. |
 | 💾 | **Local scan history** | SQLite-backed persistence, zero external dependencies |
+| 🪝 | **Pre-commit hook** | Block threats before commit — one-liner install, scans `package-lock.json` changes |
 
 ---
 
@@ -204,6 +205,15 @@ npm-scan scan-lockfile --fail-on low
 # Generate SARIF v2.1 output for GitHub Advanced Security / VS Code
 npm-scan scan-lockfile --sarif results.sarif
 
+# Watch for changes and auto-rescan (single lockfile)
+npm-scan scan-lockfile --watch
+
+# Watch with faster debounce (500ms) — great for dev workflows
+npm-scan scan-lockfile --watch --debounce 500
+
+# Watch monorepo (all package-lock.json files in workspace)
+npm-scan scan-lockfile --watch --monorepo
+
 # Output only risk score (0-10) for dashboards/thresholds
 npm-scan scan-lockfile --score-only
 ```
@@ -576,6 +586,32 @@ npm-scan report --html > report.html
 #     path: report.html
 ```
 
+### Pre-commit hook
+
+Block supply chain threats **before** they reach version control — no CI required.
+
+```bash
+# One-liner install (requires Node 18+, Git)
+npx husky@latest init && npm install && npx husky add .husky/pre-commit "npx lint-staged"
+```
+
+**What it does:** On every `git commit`, lint-staged detects staged changes to `package.json` or `package-lock.json` and runs `npm-scan scan-lockfile --fail-on high`. Commits are blocked if threats are found.
+
+```bash
+$ git commit -m "bump lodash"
+✔ Preparing lint-staged configuration...
+✔ Running tasks for staged package*.json files...
+✔ npm-scan scan-lockfile --fail-on high
+  🔴 ATK-003: Credential exfiltration (DNS lookup to credentialharvest.example.com)
+  🔴 ATK-007: Typosquat detected (lodash@7.7.7)
+  ⚠ Exiting with code 1 — threat(s) found
+
+npm scan • @lateos/npm-scan v0.11.6
+error: Command failed with exit code 1.
+```
+
+Add `--no-verify` to bypass for emergencies (`git commit -m "emergency fix" --no-verify`).
+
 ### Docker
 
 See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--zero-installation) above for pull commands, Compose pipeline, and multi-arch images.
@@ -592,7 +628,9 @@ See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--
 - Policy-as-code engine (YAML)
 - Local SQLite scan history
 - GitHub Action
+- Pre-commit hook (husky + lint-staged)
 - Docker images + Compose pipeline
+- Watch mode (--watch / --monorepo for auto-rescan)
 
 ### Premium (🔐 license key)
 

package/cli/cli.js

@@ -1,6 +1,10 @@
 #!/usr/bin/env node
 
 import { Command } from 'commander';
+import { watch } from 'fs';
+import { statSync } from 'fs';
+import { execSync } from 'child_process';
+import { glob } from 'glob';
 import { isFeatureEnabled, generateKey } from '../backend/license.js';
 
 function requirePremium(feature, licenseKey) {
@@ -164,8 +168,76 @@ program
   .option('--fail-on <level>', 'Exit with code 1 if findings >= level (low|medium|high|critical)', 'none')
   .option('--csv [file]', 'Output CSV format to file or stdout')
   .option('--sarif [file]', 'Output SARIF v2.1 format to file or stdout')
-  .action((options) => {
-    console.log('Scanning lockfile:', options.file);
+  .option('--watch', 'Watch for changes and re-scan automatically')
+  .option('--debounce <ms>', 'Debounce delay in ms before rescanning (default: 1000)', '1000')
+  .option('--silent', 'Suppress stdout output (useful for piping)')
+  .option('--monorepo', 'Scan all package-lock.json files in workspace')
+  .action(async (options) => {
+    const silent = options.silent;
+    const debounce = parseInt(options.debounce, 10) || 1000;
+    const isWatch = options.watch;
+    const isMonorepo = options.monorepo;
+
+    if (isWatch) {
+      if (isMonorepo) {
+        const lockfiles = await glob('**/package-lock.json', { ignore: 'node_modules/**' });
+
+        if (!silent) {
+          console.log(`\x1b[32m✔\x1b[0m npm-scan watch mode (monorepo) — ${lockfiles.length} lockfiles`);
+          console.log(`  Debounce: ${debounce}ms | Press Ctrl+C to stop\n`);
+        }
+
+        let timers = {};
+        for (const lf of lockfiles) {
+          if (!silent) console.log(`  Watching: ${lf}`);
+          const watcher = watch(lf, (eventType) => {
+            if (eventType !== 'change') return;
+            clearTimeout(timers[lf]);
+            timers[lf] = setTimeout(() => {
+              if (!silent) {
+                console.log(`\n\x1b[90m[${new Date().toLocaleTimeString()}]\x1b[0m ${lf} changed — scanning...`);
+              }
+              try {
+                execSync(`node cli/cli.js scan-lockfile -f "${lf}" --fail-on ${options.failOn || 'high'} --silent`, { stdio: silent ? 'ignore' : 'inherit' });
+              } catch (e) {}
+            }, debounce);
+          });
+        }
+
+        process.on('SIGINT', () => {
+          if (!silent) console.log('\n\x1b[33m✖\x1b[0m Stopped.');
+          process.exit(0);
+        });
+      } else {
+        const lockfile = options.file;
+        let lastSize = 0;
+        try { lastSize = statSync(lockfile).size; } catch {}
+
+        if (!silent) {
+          console.log(`\x1b[32m✔\x1b[0m npm-scan watch mode — ${lockfile}`);
+          console.log(`  Debounce: ${debounce}ms | Press Ctrl+C to stop\n`);
+        }
+
+        const watcher = watch(lockfile, (eventType) => {
+          if (eventType !== 'change') return;
+          const size = statSync(lockfile).size;
+          if (size === lastSize) return;
+          lastSize = size;
+          if (!silent) console.log(`\n\x1b[90m[${new Date().toLocaleTimeString()}]\x1b[0m ${lockfile} changed — rescanning...`);
+          try {
+            execSync(`node cli/cli.js scan-lockfile --fail-on ${options.failOn || 'high'} --silent`, { stdio: silent ? 'ignore' : 'inherit' });
+          } catch (e) {}
+        });
+
+        process.on('SIGINT', () => {
+          watcher.close();
+          if (!silent) console.log('\n\x1b[33m✖\x1b[0m Stopped.');
+          process.exit(0);
+        });
+      }
+    } else {
+      console.log('Scanning lockfile:', options.file);
+    }
   });
 
 program

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.11.6",
+  "version": "0.12.1",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {
@@ -29,9 +29,13 @@
     "test": "node --test",
     "test:coverage": "node --experimental-test-coverage --test",
     "test:verbose": "node --test --test-reporter spec",
+    "prepare": "husky",
     "build": "echo 'Build stub'",
     "corpus": "node tests/corpus/run.js"
   },
+  "lint-staged": {
+    "**/package{,-lock}.json": "node cli/cli.js scan-lockfile --fail-on high"
+  },
   "publishConfig": {
     "access": "public"
   },
@@ -43,5 +47,9 @@
     "pdf-lib": "^1.17.1",
     "sql.js": "^1.11.0",
     "tar": "^7.5.15"
+  },
+  "devDependencies": {
+    "husky": "^9.1.7",
+    "lint-staged": "^16.4.0"
   }
 }