@lateos/npm-scan 0.17.1 → 0.18.1

package/SECURITY.md

@@ -1,73 +1,73 @@
-# Security Policy
-
-## Supported Versions
-
-Only the **latest published minor version** on npm receives security patches. Keep `@lateos/npm-scan` up to date:
-
-```bash
-npm update -g @lateos/npm-scan
-```
-
-| Version | Supported |
-|---------|-----------|
-| 0.9.x   | ✅ Active |
-| < 0.9   | ❌       |
-
-## Reporting a Vulnerability
-
-Use **GitHub Private Vulnerability Reporting**:
-
-1. Go to [github.com/lateos-ai/npm-scan/security/advisories/new](https://github.com/lateos-ai/npm-scan/security/advisories/new)
-2. Describe the vulnerability in detail (ideally with a proof of concept)
-3. Allow **72 hours** for an initial acknowledgment
-
-For encrypted follow-up outside of GitHub, use our PGP key:
-
-```
-Fingerprint: 1BC6 998B 879B BDE0 D778  629E D9CF F5EF 1F7C 557B
-Key ID:      1F7C557B
-Email:       leo@lateos.ai
-```
-
-## Scope
-
-**In scope:**
-- Detector logic (ATK-001 through ATK-011)
-- Code execution in the scanner engine (`backend/fetch.js`, `cli/cli.js`)
-- CI/CD pipeline and publish process (provenance bypass, supply chain)
-- Configuration injection via `policy.yaml` or command-line flags
-
-**Out of scope:**
-- CVEs in third-party dependencies — report upstream
-- Vulnerabilities in the npm registry itself — report to npm
-- Malicious packages detected by the scanner (that's working as designed)
-
-## Security Practices
-
-`@lateos/npm-scan` follows these practices to protect its own supply chain:
-
-- **Sigstore provenance** on every npm publish — verifiable via `npm view @lateos/npm-scan provenance`
-- **Self-scanning in CI** — every commit scans the project's own `package-lock.json` for the full ATK taxonomy
-- **SBOM per release** — CycloneDX and SPDX 2.3 Bill of Materials published with every version
-- **2FA** enforced on the npm publisher account
-- **Docker multi-arch images** signed and pushed via CI, not manually
-- **All code public** — no security-by-obscurity
-
-## Self-Scanning
-
-As a supply chain security scanner, `@lateos/npm-scan` dogfoods its own detectors. Every CI run executes:
-
-```bash
-npx @lateos/npm-scan scan-lockfile --fail-on medium
-```
-
-If a future update to a dependency triggers one of our detectors (e.g., typosquat, obfuscated lifecycle script), the build **fails** before the change reaches npm.
-
-## Safe Harbor
-
-We consider security research conducted under this policy as authorized and will not pursue legal action against researchers who:
-
-- Report vulnerabilities through GitHub Private Vulnerability Reporting
-- Do not access or modify user data beyond what's necessary to demonstrate the vulnerability
-- Do not exploit the vulnerability beyond demonstrating it
+# Security Policy
+
+## Supported Versions
+
+Only the **latest published minor version** on npm receives security patches. Keep `@lateos/npm-scan` up to date:
+
+```bash
+npm update -g @lateos/npm-scan
+```
+
+| Version | Supported |
+|---------|-----------|
+| 0.9.x   | ✅ Active |
+| < 0.9   | ❌       |
+
+## Reporting a Vulnerability
+
+Use **GitHub Private Vulnerability Reporting**:
+
+1. Go to [github.com/lateos-ai/npm-scan/security/advisories/new](https://github.com/lateos-ai/npm-scan/security/advisories/new)
+2. Describe the vulnerability in detail (ideally with a proof of concept)
+3. Allow **72 hours** for an initial acknowledgment
+
+For encrypted follow-up outside of GitHub, use our PGP key:
+
+```
+Fingerprint: 1BC6 998B 879B BDE0 D778  629E D9CF F5EF 1F7C 557B
+Key ID:      1F7C557B
+Email:       leo@lateos.ai
+```
+
+## Scope
+
+**In scope:**
+- Detector logic (ATK-001 through ATK-011)
+- Code execution in the scanner engine (`backend/fetch.js`, `cli/cli.js`)
+- CI/CD pipeline and publish process (provenance bypass, supply chain)
+- Configuration injection via `policy.yaml` or command-line flags
+
+**Out of scope:**
+- CVEs in third-party dependencies — report upstream
+- Vulnerabilities in the npm registry itself — report to npm
+- Malicious packages detected by the scanner (that's working as designed)
+
+## Security Practices
+
+`@lateos/npm-scan` follows these practices to protect its own supply chain:
+
+- **Sigstore provenance** on every npm publish — verifiable via `npm view @lateos/npm-scan provenance`
+- **Self-scanning in CI** — every commit scans the project's own `package-lock.json` for the full ATK taxonomy
+- **SBOM per release** — CycloneDX and SPDX 2.3 Bill of Materials published with every version
+- **2FA** enforced on the npm publisher account
+- **Docker multi-arch images** signed and pushed via CI, not manually
+- **All code public** — no security-by-obscurity
+
+## Self-Scanning
+
+As a supply chain security scanner, `@lateos/npm-scan` dogfoods its own detectors. Every CI run executes:
+
+```bash
+npx @lateos/npm-scan scan-lockfile --fail-on medium
+```
+
+If a future update to a dependency triggers one of our detectors (e.g., typosquat, obfuscated lifecycle script), the build **fails** before the change reaches npm.
+
+## Safe Harbor
+
+We consider security research conducted under this policy as authorized and will not pursue legal action against researchers who:
+
+- Report vulnerabilities through GitHub Private Vulnerability Reporting
+- Do not access or modify user data beyond what's necessary to demonstrate the vulnerability
+- Do not exploit the vulnerability beyond demonstrating it
 - Act in good faith to improve the security of the project

package/backend/cra.js

@@ -1,69 +1,69 @@
-export function generateCRA(scans) {
-  const atkMap = {};
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const key = f.atk_id || f.id;
-      if (!atkMap[key]) atkMap[key] = [];
-      atkMap[key].push({ ...f, package_name: s.package_name, version: s.version });
-    }
-  }
-
-  const CRA_ARTICLES = [
-    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-001', desc: 'Lifecycle hooks used for insecure defaults' },
-    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-010', desc: 'Anti-analysis in default state' },
-    { article: 'Art. 10(1)', title: 'Vulnerability disclosure', atkId: 'ATK-008', desc: 'Tarball integrity prevents disclosure accuracy' },
-    { article: 'Art. 10(2)', title: 'Known vulnerability reporting', atkId: 'ATK-006', desc: 'Dependency confusion undermines visibility' },
-    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-008', desc: 'Integrity of SBOM entries must be verified' },
-    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-006', desc: 'SBOM must reflect actual dependency graph' },
-    { article: 'Annex I(1.1)', title: 'No known exploitable vulnerabilities', atkId: 'ATK-009', desc: 'Conditional triggers may activate known vulns' },
-    { article: 'Annex I(1.3)', title: 'Least privilege', atkId: 'ATK-003', desc: 'Credential harvesting violates least privilege' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-002', desc: 'Obfuscation increases attack surface' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-004', desc: 'Persistence mechanisms expand attack surface' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-005', desc: 'Network exfiltration expands attack surface' },
-    { article: 'Annex I(2.1)', title: 'Protection against unauthorized access', atkId: 'ATK-003', desc: 'Credential harvesting enables unauthorized access' },
-    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-008', desc: 'Tarball tampering violates data integrity' },
-    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-011', desc: 'Propagation attacks compromise data integrity' },
-    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-009', desc: 'Conditional triggers evade incident detection' },
-    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-010', desc: 'Sandbox evasion defeats incident detection' },
-    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-011', desc: 'Propagation requires SC monitoring' },
-    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-007', desc: 'Typosquatting undermines SC trust' },
-  ];
-
-  let rows = '';
-  for (const { article, title, atkId, desc } of CRA_ARTICLES) {
-    const findings = atkMap[atkId] || [];
-    const status = findings.length > 0 ? 'fail' : 'pass';
-    const colorClass = status === 'pass' ? 'pass' : 'fail';
-    const label = findings.length > 0 ? `${findings.length} finding(s)` : 'No findings';
-    rows += `<tr><td>${article}</td><td>${title}</td><td>${desc}</td><td class="nist-${colorClass}">${label}</td><td>${atkId}</td></tr>`;
-  }
-
-  return `<h2>EU CRA Compliance Summary</h2>
-<table>
-<thead><tr><th>CRA Article</th><th>Requirement</th><th>Relevance</th><th>Status</th><th>ATK</th></tr></thead>
-<tbody>${rows}</tbody>
-</table>`;
-}
-
-export function generateCRAHTML(scans) {
-  const body = generateCRA(scans);
-  return `<!DOCTYPE html>
-<html lang="en">
-<head><meta charset="UTF-8"><title>EU CRA Compliance Report</title>
-<style>
-body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 960px; margin: 0 auto; padding: 20px; background: #0d1117; color: #c9d1d9; }
-h1, h2 { color: #58a6ff; }
-table { width: 100%; border-collapse: collapse; margin: 12px 0; }
-th, td { padding: 8px 12px; text-align: left; border-bottom: 1px solid #30363d; }
-th { background: #161b22; }
-.nist-pass { background: #1b3a1b; color: #7ee787; }
-.nist-fail { background: #3a1b1b; color: #ff7b72; }
-.meta { color: #8b949e; font-size: 13px; margin-top: 30px; }
-</style></head>
-<body>
-<h1>npm-scan EU CRA Compliance Report</h1>
-<p>Generated ${new Date().toISOString()} | npm-scan v${process.env.npm_package_version || '0.4.0'}</p>
-${body}
-<p class="meta">EU Cyber Resilience Act (Regulation 2023/2841) mapped to ATK findings.</p>
-</body></html>`;
+export function generateCRA(scans) {
+  const atkMap = {};
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const key = f.atk_id || f.id;
+      if (!atkMap[key]) atkMap[key] = [];
+      atkMap[key].push({ ...f, package_name: s.package_name, version: s.version });
+    }
+  }
+
+  const CRA_ARTICLES = [
+    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-001', desc: 'Lifecycle hooks used for insecure defaults' },
+    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-010', desc: 'Anti-analysis in default state' },
+    { article: 'Art. 10(1)', title: 'Vulnerability disclosure', atkId: 'ATK-008', desc: 'Tarball integrity prevents disclosure accuracy' },
+    { article: 'Art. 10(2)', title: 'Known vulnerability reporting', atkId: 'ATK-006', desc: 'Dependency confusion undermines visibility' },
+    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-008', desc: 'Integrity of SBOM entries must be verified' },
+    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-006', desc: 'SBOM must reflect actual dependency graph' },
+    { article: 'Annex I(1.1)', title: 'No known exploitable vulnerabilities', atkId: 'ATK-009', desc: 'Conditional triggers may activate known vulns' },
+    { article: 'Annex I(1.3)', title: 'Least privilege', atkId: 'ATK-003', desc: 'Credential harvesting violates least privilege' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-002', desc: 'Obfuscation increases attack surface' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-004', desc: 'Persistence mechanisms expand attack surface' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-005', desc: 'Network exfiltration expands attack surface' },
+    { article: 'Annex I(2.1)', title: 'Protection against unauthorized access', atkId: 'ATK-003', desc: 'Credential harvesting enables unauthorized access' },
+    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-008', desc: 'Tarball tampering violates data integrity' },
+    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-011', desc: 'Propagation attacks compromise data integrity' },
+    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-009', desc: 'Conditional triggers evade incident detection' },
+    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-010', desc: 'Sandbox evasion defeats incident detection' },
+    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-011', desc: 'Propagation requires SC monitoring' },
+    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-007', desc: 'Typosquatting undermines SC trust' },
+  ];
+
+  let rows = '';
+  for (const { article, title, atkId, desc } of CRA_ARTICLES) {
+    const findings = atkMap[atkId] || [];
+    const status = findings.length > 0 ? 'fail' : 'pass';
+    const colorClass = status === 'pass' ? 'pass' : 'fail';
+    const label = findings.length > 0 ? `${findings.length} finding(s)` : 'No findings';
+    rows += `<tr><td>${article}</td><td>${title}</td><td>${desc}</td><td class="nist-${colorClass}">${label}</td><td>${atkId}</td></tr>`;
+  }
+
+  return `<h2>EU CRA Compliance Summary</h2>
+<table>
+<thead><tr><th>CRA Article</th><th>Requirement</th><th>Relevance</th><th>Status</th><th>ATK</th></tr></thead>
+<tbody>${rows}</tbody>
+</table>`;
+}
+
+export function generateCRAHTML(scans) {
+  const body = generateCRA(scans);
+  return `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><title>EU CRA Compliance Report</title>
+<style>
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 960px; margin: 0 auto; padding: 20px; background: #0d1117; color: #c9d1d9; }
+h1, h2 { color: #58a6ff; }
+table { width: 100%; border-collapse: collapse; margin: 12px 0; }
+th, td { padding: 8px 12px; text-align: left; border-bottom: 1px solid #30363d; }
+th { background: #161b22; }
+.nist-pass { background: #1b3a1b; color: #7ee787; }
+.nist-fail { background: #3a1b1b; color: #ff7b72; }
+.meta { color: #8b949e; font-size: 13px; margin-top: 30px; }
+</style></head>
+<body>
+<h1>npm-scan EU CRA Compliance Report</h1>
+<p>Generated ${new Date().toISOString()} | npm-scan v${process.env.npm_package_version || '0.4.0'}</p>
+${body}
+<p class="meta">EU Cyber Resilience Act (Regulation 2023/2841) mapped to ATK findings.</p>
+</body></html>`;
 }

package/backend/db/schema.sql

@@ -1,32 +1,32 @@
--- SQLite schema for local CLI mode (free tier)
--- Tables: scans, findings (ATK-linked)
-
-CREATE TABLE IF NOT EXISTS scans (
-  id INTEGER PRIMARY KEY AUTOINCREMENT,
-  package_name TEXT NOT NULL,
-  version TEXT,
-  scanned_at DATETIME DEFAULT CURRENT_TIMESTAMP,
-  status TEXT DEFAULT 'completed',
-  sbom_json TEXT
-);
-
-CREATE TABLE IF NOT EXISTS findings (
-  id INTEGER PRIMARY KEY AUTOINCREMENT,
-  scan_id INTEGER NOT NULL,
-  atk_id TEXT NOT NULL,
-  severity TEXT CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),
-  description TEXT,
-  evidence TEXT,
-  mitigation TEXT,
-  FOREIGN KEY (scan_id) REFERENCES scans(id) ON DELETE CASCADE
-);
-
--- View for reports
-CREATE VIEW IF NOT EXISTS scan_findings AS
-SELECT s.*, f.* FROM scans s
-JOIN findings f ON s.id = f.scan_id;
-
--- Indexes
-CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package_name);
-CREATE INDEX IF NOT EXISTS idx_findings_atk ON findings(atk_id);
-CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);
+-- SQLite schema for local CLI mode (free tier)
+-- Tables: scans, findings (ATK-linked)
+
+CREATE TABLE IF NOT EXISTS scans (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  package_name TEXT NOT NULL,
+  version TEXT,
+  scanned_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+  status TEXT DEFAULT 'completed',
+  sbom_json TEXT
+);
+
+CREATE TABLE IF NOT EXISTS findings (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  scan_id INTEGER NOT NULL,
+  atk_id TEXT NOT NULL,
+  severity TEXT CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),
+  description TEXT,
+  evidence TEXT,
+  mitigation TEXT,
+  FOREIGN KEY (scan_id) REFERENCES scans(id) ON DELETE CASCADE
+);
+
+-- View for reports
+CREATE VIEW IF NOT EXISTS scan_findings AS
+SELECT s.*, f.* FROM scans s
+JOIN findings f ON s.id = f.scan_id;
+
+-- Indexes
+CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package_name);
+CREATE INDEX IF NOT EXISTS idx_findings_atk ON findings(atk_id);
+CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);

package/backend/db.js

@@ -1,89 +1,89 @@
-import initSqlJs from 'sql.js';
-import fs from 'fs';
-import path from 'path';
-import { fileURLToPath } from 'url';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const DB_PATH = path.join(process.cwd(), 'npm-scan.db');
-const SCHEMA_PATH = path.join(__dirname, 'db', 'schema.sql');
-
-let db = null;
-let initPromise = null;
-
-async function ensureInit() {
-  if (db) return;
-  if (initPromise) return initPromise;
-  initPromise = (async () => {
-    const SQL = await initSqlJs();
-    if (fs.existsSync(DB_PATH)) {
-      db = new SQL.Database(fs.readFileSync(DB_PATH));
-    } else {
-      db = new SQL.Database();
-    }
-    if (fs.existsSync(SCHEMA_PATH)) {
-      db.run(fs.readFileSync(SCHEMA_PATH, 'utf8'));
-    }
-  })();
-  return initPromise;
-}
-
-function queryAll(sql, params = []) {
-  const stmt = db.prepare(sql);
-  if (params.length) stmt.bind(params);
-  const rows = [];
-  while (stmt.step()) {
-    rows.push(stmt.getAsObject());
-  }
-  stmt.free();
-  return rows;
-}
-
-function queryOne(sql, params = []) {
-  return queryAll(sql, params)[0] || null;
-}
-
-function lastId() {
-  const r = db.exec("SELECT last_insert_rowid()");
-  return Number(r[0].values[0][0]);
-}
-
-function persist() {
-  fs.writeFileSync(DB_PATH, Buffer.from(db.export()));
-}
-
-export async function saveScan(pkgName, version = 'latest', findings = []) {
-  await ensureInit();
-  db.run("INSERT INTO scans (package_name, version) VALUES (?, ?)", [pkgName, version]);
-  const scanId = lastId();
-  const stmt = db.prepare("INSERT INTO findings (scan_id, atk_id, severity, description, evidence) VALUES (?, ?, ?, ?, ?)");
-  for (const f of findings) {
-    stmt.run([scanId, f.id, f.severity, f.title || f.description, f.evidence || '']);
-  }
-  stmt.free();
-  persist();
-  return scanId;
-}
-
-export async function getRecentScans(limit = 10) {
-  await ensureInit();
-  return queryAll("SELECT * FROM scans ORDER BY scanned_at DESC LIMIT ?", [limit]);
-}
-
-export async function getFindings(scanId) {
-  await ensureInit();
-  return queryAll("SELECT * FROM findings WHERE scan_id = ?", [scanId]);
-}
-
-export async function getScan(scanId) {
-  await ensureInit();
-  return queryOne("SELECT * FROM scans WHERE id = ?", [scanId]);
-}
-
-export async function close() {
-  if (db) {
-    persist();
-    db.close();
-    db = null;
-    initPromise = null;
-  }
+import initSqlJs from 'sql.js';
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const DB_PATH = path.join(process.cwd(), 'npm-scan.db');
+const SCHEMA_PATH = path.join(__dirname, 'db', 'schema.sql');
+
+let db = null;
+let initPromise = null;
+
+async function ensureInit() {
+  if (db) return;
+  if (initPromise) return initPromise;
+  initPromise = (async () => {
+    const SQL = await initSqlJs();
+    if (fs.existsSync(DB_PATH)) {
+      db = new SQL.Database(fs.readFileSync(DB_PATH));
+    } else {
+      db = new SQL.Database();
+    }
+    if (fs.existsSync(SCHEMA_PATH)) {
+      db.run(fs.readFileSync(SCHEMA_PATH, 'utf8'));
+    }
+  })();
+  return initPromise;
+}
+
+function queryAll(sql, params = []) {
+  const stmt = db.prepare(sql);
+  if (params.length) stmt.bind(params);
+  const rows = [];
+  while (stmt.step()) {
+    rows.push(stmt.getAsObject());
+  }
+  stmt.free();
+  return rows;
+}
+
+function queryOne(sql, params = []) {
+  return queryAll(sql, params)[0] || null;
+}
+
+function lastId() {
+  const r = db.exec("SELECT last_insert_rowid()");
+  return Number(r[0].values[0][0]);
+}
+
+function persist() {
+  fs.writeFileSync(DB_PATH, Buffer.from(db.export()));
+}
+
+export async function saveScan(pkgName, version = 'latest', findings = []) {
+  await ensureInit();
+  db.run("INSERT INTO scans (package_name, version) VALUES (?, ?)", [pkgName, version]);
+  const scanId = lastId();
+  const stmt = db.prepare("INSERT INTO findings (scan_id, atk_id, severity, description, evidence) VALUES (?, ?, ?, ?, ?)");
+  for (const f of findings) {
+    stmt.run([scanId, f.id, f.severity, f.title || f.description, f.evidence || '']);
+  }
+  stmt.free();
+  persist();
+  return scanId;
+}
+
+export async function getRecentScans(limit = 10) {
+  await ensureInit();
+  return queryAll("SELECT * FROM scans ORDER BY scanned_at DESC LIMIT ?", [limit]);
+}
+
+export async function getFindings(scanId) {
+  await ensureInit();
+  return queryAll("SELECT * FROM findings WHERE scan_id = ?", [scanId]);
+}
+
+export async function getScan(scanId) {
+  await ensureInit();
+  return queryOne("SELECT * FROM scans WHERE id = ?", [scanId]);
+}
+
+export async function close() {
+  if (db) {
+    persist();
+    db.close();
+    db = null;
+    initPromise = null;
+  }
 }

package/backend/detectors/atk-001-lifecycle.js

@@ -1,18 +1,18 @@
-export async function scan(pkgJson, files = []) {
-  const findings = [];
-  const scripts = pkgJson.scripts || {};
-  const suspicious = Object.keys(scripts).filter(s => /pre|post|install/i.test(s));
-  if (suspicious.length) {
-    const content = suspicious.map(s => scripts[s]).join(' ');
-    if (/curl|wget|sh |bash |\.sh|exfil|steal|pwn|c2|pastebin/i.test(content)) {
-      findings.push({
-        id: 'ATK-001',
-        severity: 'high',
-        title: 'Malicious lifecycle scripts',
-        description: 'Suspicious install hooks',
-        evidence: suspicious.join(', ')
-      });
-    }
-  }
-  return findings;
+export async function scan(pkgJson, files = []) {
+  const findings = [];
+  const scripts = pkgJson.scripts || {};
+  const suspicious = Object.keys(scripts).filter(s => /pre|post|install/i.test(s));
+  if (suspicious.length) {
+    const content = suspicious.map(s => scripts[s]).join(' ');
+    if (/curl|wget|sh |bash |\.sh|exfil|steal|pwn|c2|pastebin/i.test(content)) {
+      findings.push({
+        id: 'ATK-001',
+        severity: 'high',
+        title: 'Malicious lifecycle scripts',
+        description: 'Suspicious install hooks',
+        evidence: suspicious.join(', ')
+      });
+    }
+  }
+  return findings;
 }