@lateos/npm-scan 0.7.6 → 0.9.0

package/action.yml

@@ -1,94 +0,0 @@
-name: 'npm-scan'
-description: 'Scan npm dependencies for supply chain threats using npm-scan'
-author: 'Lateos'
-
-inputs:
-  scan-type:
-    description: 'Scan mode: lockfile to scan package-lock.json, package to scan a specific package'
-    default: 'lockfile'
-    required: false
-  package:
-    description: 'Package name to scan (required when scan-type=package)'
-    required: false
-  fail-on:
-    description: 'Fail the workflow on findings at this severity or higher (none, low, medium, high, critical)'
-    default: 'high'
-    required: false
-  license-key:
-    description: 'Premium license key for advanced features'
-    required: false
-  siem-format:
-    description: 'SIEM output format (cef, ecs, sentinel, qradar)'
-    required: false
-  sbom-format:
-    description: 'SBOM output format (json, xml, spdx)'
-    required: false
-
-outputs:
-  findings-count:
-    description: 'Number of findings detected'
-    value: ${{ steps.run.outputs.findings_count }}
-  scan-id:
-    description: 'Scan ID for later reference'
-    value: ${{ steps.run.outputs.scan_id }}
-
-runs:
-  using: 'composite'
-  steps:
-    - uses: actions/setup-node@v4
-      with:
-        node-version: '20'
-
-    - name: Install npm-scan
-      shell: bash
-      run: npm install -g @lateos/npm-scan@latest
-
-    - name: Run npm-scan scan
-      id: run
-      shell: bash
-      env:
-        NPM_SCAN_LICENSE_KEY: ${{ inputs.license-key || '' }}
-      run: |
-        set -euo pipefail
-        if [[ "${{ inputs.scan-type }}" == "package" && -n "${{ inputs.package }}" ]]; then
-          output=$(npm-scan scan "${{ inputs.package }}" 2>&1)
-        else
-          output=$(npm-scan scan-lockfile 2>&1)
-        fi
-        echo "$output"
-
-        # Extract scan ID if present
-        scan_id=$(echo "$output" | grep -oP '"scanId"\s*:\s*"\K[^"]+' || echo "")
-        if [[ -n "$scan_id" ]]; then
-          echo "scan_id=$scan_id" >> "$GITHUB_OUTPUT"
-          # Count findings
-          findings_count=$(echo "$output" | grep -oP '"severity"' | wc -l | tr -d ' ')
-          echo "findings_count=$findings_count" >> "$GITHUB_OUTPUT"
-
-          # Generate additional outputs
-          if [[ -n "${{ inputs.siem-format }}" ]]; then
-            echo "--- SIEM (${{ inputs.siem-format }}) ---"
-            npm-scan report -i "$scan_id" --siem "${{ inputs.siem-format }}" 2>&1 || true
-          fi
-          if [[ -n "${{ inputs.sbom-format }}" ]]; then
-            echo "--- SBOM (${{ inputs.sbom-format }}) ---"
-            npm-scan report -i "$scan_id" --sbom "${{ inputs.sbom-format }}" 2>&1 || true
-          fi
-        fi
-
-    - name: Check severity threshold
-      shell: bash
-      if: ${{ inputs.fail-on != 'none' }}
-      env:
-        FAIL_SEVERITY: ${{ inputs.fail-on }}
-      run: |
-        SEVERITY_ORDER="none low medium high critical"
-        FAIL_IDX=-1
-        for sev in $SEVERITY_ORDER; do
-          FAIL_IDX=$((FAIL_IDX + 1))
-          [[ "$sev" == "$FAIL_SEVERITY" ]] && break
-        done
-        # In a real scan, we'd parse the output for severity levels.
-        # For now, the action logs results and defers to the scan output.
-        echo "Fail-on threshold: $FAIL_SEVERITY (index $FAIL_IDX)"
-        echo "Review the scan output above for any findings at or above this severity."

package/api/README.md

@@ -1,80 +0,0 @@
-# npm-scan REST API
-
-FastAPI-based REST API for hosted/team tier. Requires premium or enterprise license.
-
-## Quick Start
-
-```bash
-pip install -r api/requirements.txt
-python -m api.main
-```
-
-## Endpoints
-
-| Method | Path | Description |
-|--------|------|-------------|
-| POST | /api/v1/scan | Submit a package for scanning |
-| GET | /api/v1/scans | List recent scans |
-| GET | /api/v1/scans/{id} | Get scan details |
-| GET | /api/v1/scans/{id}/findings | Get findings for a scan |
-| GET | /api/v1/scans/{id}/report | Generate report |
-| POST | /api/v1/webhooks | Register a webhook |
-| GET | /api/v1/webhooks | List webhooks |
-| DELETE | /api/v1/webhooks/{id} | Delete a webhook |
-| POST | /api/v1/auth/login | Login |
-| POST | /api/v1/auth/register | Register |
-| GET | /api/v1/auth/methods | List available auth methods (password, SAML) |
-| GET | /api/v1/auth/me | Current user profile |
-| GET | /api/v1/auth/saml | Convenience redirect to SAML login |
-| GET | /api/v1/sso/metadata | SP metadata XML for IdP registration |
-| GET | /api/v1/sso/login | SP-initiated SAML SSO redirect |
-| POST | /api/v1/sso/acs | Assertion Consumer Service (SAML callback) |
-| POST | /api/v1/sso/slo | Single Logout |
-| GET | /api/v1/sso/session | Current SAML session status |
-| GET | /api/v1/sso/config | SAML configuration status |
-| GET | /api/v1/health | Health check |
-
-## Authentication
-
-All endpoints except `/api/v1/health`, `/api/v1/auth/methods`, and `/api/v1/auth/saml` require an API key or session token.
-
-### Methods
-
-1. **JWT Token** — obtained via `POST /api/v1/auth/login` or SAML ACS callback
-2. **API Key** — long-lived key with scoped permissions
-3. **SAML SSO** — enterprise IdP integration (Okta, Azure AD, OneLogin, Keycloak)
-
-Pass as header: `Authorization: Bearer <token_or_api_key>`
-
-## SAML / SSO Configuration
-
-SAML SSO requires an enterprise license and is configured via environment variables or `saml-config.yaml`.
-
-### Environment Variables
-
-| Variable | Description |
-|----------|-------------|
-| `SAML_IDP_ENTITY_ID` | IdP entity ID (from IdP metadata) |
-| `SAML_IDP_SSO_URL` | IdP SSO endpoint URL |
-| `SAML_IDP_X509_CERT` | IdP X.509 certificate for assertion verification |
-| `SAML_SP_PRIVATE_KEY` | SP private key for signing authn requests |
-| `SAML_SP_X509_CERT` | SP X.509 certificate (shared with IdP) |
-| `SAML_IDP_METADATA_URL` | Auto-discover IdP config from metadata URL |
-
-See `saml-config.yaml` for a full configuration template.
-
-### Supported IdPs
-
-- Okta
-- Azure Active Directory / Entra ID
-- OneLogin
-- Keycloak
-- Any SAML 2.0 compliant IdP
-
-### Flow
-
-1. User visits `GET /api/v1/auth/saml` or `GET /api/v1/sso/login`
-2. Server redirects to IdP with signed SAML AuthnRequest
-3. User authenticates at IdP
-4. IdP POSTs SAML Response to `POST /api/v1/sso/acs`
-5. Server validates assertion, provisions user, returns JWT tokens

package/api/api_keys.py

@@ -1,55 +0,0 @@
-"""API key management for the npm-scan hosted tier.
-
-Handles:
-  - Key generation (prefixed + hashed for storage)
-  - Key validation against stored hash
-  - Scope-based access control per key
-  - Key rotation and revocation
-"""
-
-import os
-import uuid
-import hashlib
-import hmac
-import secrets
-from datetime import datetime, timezone, timedelta
-from typing import Optional
-
-
-API_KEY_PREFIX = "npm-scan-api-"
-
-
-def generate_api_key(name: str = "default", scopes: list[str] = None) -> tuple[str, str]:
-    """Generate an API key and return (raw_key, hashed_key).
-    
-    The raw key is returned once for the user to store securely.
-    Only the hashed version is persisted.
-    """
-    raw = API_KEY_PREFIX + secrets.token_urlsafe(32)
-    key_id = str(uuid.uuid4())
-    salt = secrets.token_hex(8)
-    hashed = hashlib.pbkdf2_hmac("sha256", raw.encode(), salt.encode(), 100_000).hex()
-    stored = f"{salt}${hashed}"
-    return raw, stored
-
-
-def validate_api_key(raw_key: str, stored_hash: str) -> bool:
-    """Check a raw key against its stored PBKDF2 hash."""
-    try:
-        salt, hashed = stored_hash.split("$", 1)
-        check = hashlib.pbkdf2_hmac("sha256", raw_key.encode(), salt.encode(), 100_000).hex()
-        return hmac.compare_digest(check, hashed)
-    except (ValueError, IndexError):
-        return False
-
-
-def is_api_key(raw_key: str) -> bool:
-    """Check if a string looks like an npm-scan API key."""
-    return raw_key.startswith(API_KEY_PREFIX)
-
-
-def redact_key(raw_key: str) -> str:
-    """Show only the last 8 chars of a key for logging."""
-    if len(raw_key) <= 16:
-        return "***"
-    return raw_key[-8:].rjust(len(raw_key), "*")

package/api/deps.py

@@ -1,164 +0,0 @@
-"""Shared auth dependencies for the npm-scan API.
-
-Handles:
-  - JWT access + refresh tokens
-  - API key validation
-  - Session management
-  - RBAC enforcement
-  - License feature gating
-"""
-
-import os
-import uuid
-import json
-from datetime import datetime, timedelta, timezone
-from typing import Optional
-from fastapi import Header, HTTPException, status, Depends, Request
-from pydantic import BaseModel
-from jose import jwt, JWTError
-
-JWT_SECRET = os.environ.get("JWT_SECRET", os.urandom(32).hex())
-JWT_ALGORITHM = "HS256"
-ACCESS_TOKEN_EXPIRE_MINUTES = int(os.environ.get("JWT_EXPIRE_MINUTES", "60"))
-REFRESH_TOKEN_EXPIRE_DAYS = int(os.environ.get("JWT_REFRESH_DAYS", "30"))
-
-
-class UserSession(BaseModel):
-    user_id: str
-    email: str
-    name: str
-    team_id: Optional[str] = None
-    role: str = "viewer"
-    auth_method: str = "password"  # password, saml, api_key
-    idp: Optional[str] = None
-
-
-class TokenPayload(BaseModel):
-    sub: str  # user_id
-    email: str
-    role: str
-    team_id: Optional[str] = None
-    exp: datetime
-    iat: datetime
-    jti: str
-
-
-def create_access_token(session: UserSession) -> str:
-    """Create a JWT access token from a user session."""
-    now = datetime.now(timezone.utc)
-    payload = {
-        "sub": session.user_id,
-        "email": session.email,
-        "role": session.role,
-        "team_id": session.team_id,
-        "iat": now,
-        "exp": now + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES),
-        "jti": str(uuid.uuid4()),
-    }
-    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
-
-
-def create_refresh_token(session: UserSession) -> str:
-    """Create a long-lived refresh token."""
-    now = datetime.now(timezone.utc)
-    payload = {
-        "sub": session.user_id,
-        "type": "refresh",
-        "jti": str(uuid.uuid4()),
-        "iat": now,
-        "exp": now + timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS),
-    }
-    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
-
-
-def verify_token(token: str) -> TokenPayload:
-    """Verify and decode a JWT token. Raises 401 on failure."""
-    try:
-        payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
-        return TokenPayload(**payload)
-    except JWTError:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid or expired token",
-            headers={"WWW-Authenticate": "Bearer"},
-        )
-
-
-async def get_current_user(
-    authorization: Optional[str] = Header(None),
-) -> UserSession:
-    """Dependency: extracts authenticated user from Bearer token or API key."""
-    if not authorization:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Missing Authorization header",
-        )
-
-    scheme, _, token = authorization.partition(" ")
-    if scheme.lower() != "bearer" or not token:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid authorization scheme. Use: Bearer <token>",
-        )
-
-    # Try JWT first
-    try:
-        payload = verify_token(token)
-        return UserSession(
-            user_id=payload.sub,
-            email=payload.email,
-            name="",
-            role=payload.role,
-            team_id=payload.team_id,
-            auth_method="token",
-        )
-    except HTTPException:
-        pass
-
-    # Try API key (lookup in-memory or PostgreSQL in production)
-    # For now, validate format and return limited session
-    if token.startswith("npm-scan-api-"):
-        return UserSession(
-            user_id="api-user",
-            email="api@npm-scan.io",
-            name="API User",
-            role="viewer",
-            auth_method="api_key",
-        )
-
-    raise HTTPException(
-        status_code=status.HTTP_401_UNAUTHORIZED,
-        detail="Invalid authentication token",
-    )
-
-
-def require_role(required_roles: list[str]):
-    """Dependency factory: requires one of the specified roles."""
-    async def _check(current_user: UserSession = Depends(get_current_user)):
-        if current_user.role not in required_roles:
-            raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN,
-                detail=f"Requires one of these roles: {required_roles}",
-            )
-        return current_user
-    return _check
-
-
-def require_feature(feature: str):
-    """Dependency factory: requires a specific license feature flag."""
-    async def _check():
-        license_key = os.environ.get("NPM_SCAN_LICENSE_KEY", "")
-        if not license_key:
-            raise HTTPException(
-                status_code=status.HTTP_402_PAYMENT_REQUIRED,
-                detail=f"Feature '{feature}' requires a premium/enterprise license key",
-            )
-        # Delegate to Node.js license module via subprocess or bundled validation
-        # For now, check if it's an enterprise key format
-        if not license_key.startswith("npm-scan-"):
-            raise HTTPException(
-                status_code=status.HTTP_402_PAYMENT_REQUIRED,
-                detail="Invalid license key format",
-            )
-        return True
-    return _check

package/api/main.py

@@ -1,44 +0,0 @@
-"""
-npm-scan REST API — FastAPI application.
-Requires premium/enterprise license key for all endpoints.
-"""
-
-from fastapi import FastAPI, Depends, HTTPException, status
-from fastapi.middleware.cors import CORSMiddleware
-import os
-
-from .routers import scans, webhooks, auth, health, sso
-
-app = FastAPI(
-    title="npm-scan API",
-    version=os.environ.get("npm_package_version", "0.5.0"),
-    description="npm supply chain security scanner — REST API",
-)
-
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=["*"],
-    allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
-)
-
-app.include_router(health.router, prefix="/api/v1", tags=["health"])
-app.include_router(auth.router, prefix="/api/v1/auth", tags=["auth"])
-app.include_router(sso.router, prefix="/api/v1", tags=["sso"])
-app.include_router(scans.router, prefix="/api/v1", tags=["scans"])
-app.include_router(webhooks.router, prefix="/api/v1", tags=["webhooks"])
-
-
-def main():
-    import uvicorn
-    uvicorn.run(
-        "api.main:app",
-        host=os.environ.get("API_HOST", "0.0.0.0"),
-        port=int(os.environ.get("API_PORT", "8000")),
-        reload=os.environ.get("API_RELOAD", "false").lower() == "true",
-    )
-
-
-if __name__ == "__main__":
-    main()

package/api/requirements.txt

@@ -1,9 +0,0 @@
-fastapi>=0.115.0
-uvicorn[standard]>=0.32.0
-psycopg2-binary>=2.9.10
-python-jose[cryptography]>=3.3.0
-passlib[bcrypt]>=1.7.4
-httpx>=0.28.0
-pydantic>=2.10.0
-python3-saml>=1.16.0
-python3-saml>=1.16.0

package/api/routers/auth.py

@@ -1,80 +0,0 @@
-"""Authentication endpoints — login, register, API key management, SAML status."""
-
-from fastapi import APIRouter, HTTPException, Depends
-from fastapi.responses import RedirectResponse
-from pydantic import BaseModel, EmailStr
-from typing import Optional
-import os
-
-from ..deps import get_current_user, UserSession
-from ..saml import get_saml_config
-
-router = APIRouter()
-
-
-class RegisterRequest(BaseModel):
-    email: EmailStr
-    name: str
-    password: str
-    team_name: Optional[str] = None
-
-
-class LoginRequest(BaseModel):
-    email: EmailStr
-    password: str
-
-
-class TokenResponse(BaseModel):
-    access_token: str
-    token_type: str = "bearer"
-
-
-class AuthMethodsResponse(BaseModel):
-    password: bool
-    saml: bool
-    saml_entity_id: Optional[str] = None
-    saml_login_url: Optional[str] = None
-
-
-@router.get("/methods")
-async def auth_methods():
-    """List available authentication methods for this instance."""
-    saml_cfg = get_saml_config()
-    saml_configured = saml_cfg.is_configured()
-    return AuthMethodsResponse(
-        password=True,
-        saml=saml_configured,
-        saml_entity_id=saml_cfg.entity_id if saml_configured else None,
-        saml_login_url="/api/v1/sso/login" if saml_configured else None,
-    )
-
-
-@router.get("/me")
-async def get_me(current_user: UserSession = Depends(get_current_user)):
-    """Get the current authenticated user's profile."""
-    return {
-        "user_id": current_user.user_id,
-        "email": current_user.email,
-        "name": current_user.name,
-        "role": current_user.role,
-        "auth_method": current_user.auth_method,
-    }
-
-
-@router.post("/register", response_model=TokenResponse)
-async def register(req: RegisterRequest):
-    raise HTTPException(status_code=501, detail="Registration requires PostgreSQL backend — not yet connected")
-
-
-@router.post("/login", response_model=TokenResponse)
-async def login(req: LoginRequest):
-    raise HTTPException(status_code=501, detail="Login requires PostgreSQL backend — not yet connected")
-
-
-@router.get("/saml")
-async def saml_redirect():
-    """Convenience redirect to SAML login."""
-    saml_cfg = get_saml_config()
-    if not saml_cfg.is_configured():
-        raise HTTPException(status_code=501, detail="SAML not configured")
-    return RedirectResponse(url="/api/v1/sso/login")

package/api/routers/health.py

@@ -1,10 +0,0 @@
-"""Health check endpoint."""
-
-from fastapi import APIRouter
-
-router = APIRouter()
-
-
-@router.get("/health")
-async def health_check():
-    return {"status": "ok", "version": "0.5.0"}

package/api/routers/scans.py

@@ -1,66 +0,0 @@
-"""Scan endpoints — submit, list, retrieve scans and findings."""
-
-from fastapi import APIRouter, HTTPException, Query
-from pydantic import BaseModel
-from typing import Optional, List
-from datetime import datetime
-
-router = APIRouter()
-
-
-class ScanRequest(BaseModel):
-    package_name: str
-    version: Optional[str] = "latest"
-
-
-class Finding(BaseModel):
-    atk_id: str
-    severity: str
-    title: Optional[str] = None
-    description: Optional[str] = None
-    evidence: Optional[str] = None
-
-
-class Scan(BaseModel):
-    id: str
-    package_name: str
-    version: str
-    status: str
-    scanned_at: datetime
-    findings: List[Finding] = []
-
-
-SCANS_DB: list[Scan] = []
-
-
-@router.post("/scan", status_code=201)
-async def submit_scan(req: ScanRequest):
-    """Submit a package for scanning (delegates to Node.js CLI)."""
-    raise HTTPException(
-        status_code=501,
-        detail="Scan execution requires async worker — use `npm-scan scan <package>` via CLI"
-    )
-
-
-@router.get("/scans", response_model=List[Scan])
-async def list_scans(limit: int = Query(10, ge=1, le=100)):
-    """List recent scans."""
-    return SCANS_DB[-limit:][::-1]
-
-
-@router.get("/scans/{scan_id}")
-async def get_scan(scan_id: str):
-    """Get scan details by ID."""
-    for scan in SCANS_DB:
-        if scan.id == scan_id:
-            return scan
-    raise HTTPException(status_code=404, detail=f"Scan {scan_id} not found")
-
-
-@router.get("/scans/{scan_id}/findings")
-async def get_findings(scan_id: str):
-    """Get findings for a specific scan."""
-    for scan in SCANS_DB:
-        if scan.id == scan_id:
-            return scan.findings
-    raise HTTPException(status_code=404, detail=f"Scan {scan_id} not found")