npm - @lateos/npm-scan - Versions diffs - 0.9.6 → 0.9.9 - Mend

@lateos/npm-scan 0.9.6 → 0.9.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,199 @@
+# Changelog
+All notable changes to [@lateos/npm-scan](https://github.com/lateos-ai/npm-scan) are documented here.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [Unreleased]
+### Added
+- `scan --file <path>` flag to analyze local `.tgz` tarballs without fetching from npm registry
+- `scan --fail-on <level>` flag to exit with code 1 when findings >= severity (CI/CD integration)
+- `scan --sarif [file]` to output SARIF v2.1 format for GitHub Advanced Security, VS Code, Azure DevOps
+- `scan --csv [file]` and `report --csv [file]` to export tabular CSV for Excel/Sheets import
+- `scan --score-only` to output only risk score (0-10), auto-added to JSON output
+- Government/SOC 2 features: `--audit-log`, `--fips`, `--stig`, `--cache-dir` for air-gapped/federal compliance
+## [0.9.7] — 2026-05-12
+- Sigstore provenance attestation on every publish via new GitHub Actions workflow
+- Fix duplicate Docker section in README.md
+- Add SECURITY.md with vulnerability disclosure policy and PGP key
+## [0.9.6] — 2026-05-12
+- Add Docker badge (`ghcr.io/lateos/npm-scan`) to all 5 READMEs
+- Add dedicated Docker quick-start section in all languages
+- Replace duplicate Docker pull instructions in Integrations with cross-references
+## [0.9.5] — 2026-05-12
+- Fix literal `\n` escape sequences in LICENSING.md (replaced with real newlines)
+## [0.9.4] — 2026-05-11
+- Fix language badge links to use absolute GitHub URLs so they work from npm web UI
+- Fix GitHub organization links from `lateos` to `lateos-ai` across all READMEs
+## [0.9.3] — 2026-05-11
+- Add multi-language README: Chinese (`README.zh.md`), Japanese (`README.ja.md`), French (`README.fr.md`), German (`README.de.md`)
+- Language-switcher badges with absolute GitHub URLs in all 5 READMEs
+## [0.9.2] — 2026-05-11
+- **222 tests across 8 test files** (212 passing, 10 skipped for known FPs)
+- **85% line coverage** with Node.js native test runner
+- New test files: `test/db.test.js`, `test/detectors-edge-cases.test.js`, `test/detectors-corpus.test.js`, `test/report-snapshots.test.js`, `test/fetch.test.js`, `test/policy-edge-cases.test.js`, `test/cli.test.js`, `test/fixtures/mock-data.js`
+- `backend/db.js:close()` resets `initPromise = null` for test isolation
+- GitHub Actions CI with Node 18/20/22 matrix, corpus tests, and self-scan
+- GitHub Actions PR lockfile scanner with `fail-on: high`
+## [0.9.1] — 2026-05-11
+- Remove `node-fetch` import and dependency (replaced in 0.9.0)
+## [0.9.0] — 2026-05-11
+- **Replace `node-fetch` with native `fetch`** (Node 18+) — removes external HTTP dependency
+- **Replace `better-sqlite3` with `sql.js`** (WASM) — zero native compilation, fixes `npx` silent failure on systems without build tools
+- Add 404 check in `backend/fetch.js` for robust registry lookups
+- Reduce ATK-009 false positives on `lodash`/`axios`/`express`
+- Fix ATK-002/011 false positives — stricter eval+decode rules, remove self-referential checks
+- Fix ATK-008 `knownRepos` for `vue`
+## [0.8.0] — 2026-05-11
+- **YAML/JSON policy-as-code engine** — allowlists, severity overrides, suppressions, `fail_on` threshold
+- **Text report generator** (free tier)
+- **PDF report generator** (premium, via `pdf-lib`)
+- **Docker**: multi-stage builds, Compose profiles, health checks, validation script, Makefile
+- Comprehensive README rewrite with comparison table, ATK taxonomy, usage examples, integrations
+- `.npmignore` cleanup for smaller package
+## [0.7.6] — 2026-05-10
+- **GitHub Action** (`action.yml`) — scan on push/PR with lockfile or package mode, fail-on severity threshold, SIEM/SBOM output support
+- **28 comprehensive tests** covering SIEM exporters (CEF, ECS, Sentinel, QRadar), EU CRA compliance, SBOM (CycloneDX + SPDX), License key gen/validation/edition/tamper/expiry, Report/NIST (HTML, SR-series table, severity badges, all 11 ATK IDs)
+- Fix tampered key test determinism
+## [0.7.5] — 2026-05-10
+- Add Elastic ECS, Microsoft Sentinel, and IBM QRadar SIEM exporters
+## [0.7.4] — 2026-05-10
+- Version bump only; no functional changes
+## [0.7.3] — 2026-05-10
+- Version bump only; no functional changes
+## [0.7.2] — 2026-05-10
+- Fix duplicate Enterprise Features section in README
+## [0.7.1] — 2026-05-10
+- Add SAML SSO and REST API sections to README
+## [0.7.0] — 2026-05-10
+- **Enterprise SAML SSO integration**
+## [0.6.0] — 2026-05-10
+- **License key enforcement** — HMAC-signed keys with community/premium/enterprise editions
+- Feature gating for SIEM, CRA, REST API, Helm, PostgreSQL backend, SSO, audit logs
+- **PostgreSQL schema** — teams, users, RBAC, audit log, webhooks, API keys, materialized `package_risk` view
+- **FastAPI REST API** — scan/list/retrieve endpoints, webhook CRUD with HMAC-signed dispatch
+- **Webhook engine** — event dispatch with retry, signature verification header
+- **Helm chart** — API + worker + PostgreSQL deployments, secrets, ingress, PVC
+- CLI hardened: premium features blocked without valid license key
+## [0.5.0] — 2026-05-10
+- **ATK-011 (Transitive Propagation)** detector
+- **SIEM CEF export** for Splunk and ArcSight integration
+- **EU CRA compliance report** — EU Cyber Resilience Act readiness assessment
+- Phase 3 enterprise foundation
+## [0.4.1] — 2026-05-10
+- Update README for Phase 3 (ATK-011, SIEM, CRA)
+## [0.4.0] — 2026-05-10
+- **ATK-008 (Tarball Tampering)**, **ATK-009 (Dormant Trigger)**, **ATK-010 (Sandbox Evasion)** detectors
+- **SPDX 2.3 SBOM** support alongside CycloneDX
+- **NIST SP 800-161 compliance report** — supply chain risk management controls
+- Sandbox threat model and gVisor isolation strategy
+## [0.3.3] — 2026-05-10
+- Fix report HTML/SBOM generation to use `atk_id`, description, package name, dynamic version
+## [0.3.2] — 2026-05-10
+- Update README for Phase 2 (ATK-008–010, SPDX, NIST)
+## [0.3.1] — 2026-05-10
+- Fix schema literal newlines
+- Fix CLI SBOM defaults
+- Fix SBOM finding IDs
+## [0.3.0] — 2026-05-10
+- **ATK-001 (Lifecycle Script)** detector — detects `preinstall`, `postinstall`, `preuninstall` hooks with suspicious commands
+- **ATK-002 (Obfuscated Payload)** detector — hex/base64/decode-driven eval, regex obfuscation
+- **ATK-003 (Credential Harvester)** detector — env var exfiltration, filesystem credential scraping
+- **ATK-004 (Persistence Mechanism)** detector — cron jobs, startup scripts, `postinstall` service installs
+- **ATK-005 (Data Exfiltration)** detector — DNS tunneling, HTTP beaconing, unexpected network calls
+- **ATK-006 (Dependency Confusion)** detector — internal package name heuristics
+- **ATK-007 (Typosquatting)** detector — edit-distance based package name similarity
+## [0.2.5] — 2026-05-10
+- Fix `.npmignore` to exclude corpus tarballs from published package
+## [0.2.4] — 2026-05-10
+- Version bump only; no functional changes
+## [0.2.2] — 2026-05-10
+- **Corpus test suite** — 50 clean packages (0% FP) + 22 malicious PoC (100% detect rate)
+- **HTML report generator** with CLI `--html` flag
+- ATK-007 edit-distance typosquatting implementation
+- Switch from `adm-zip` to `tar` for tgz extraction
+- ATK detectors hardened for fewer false positives
+- `README.md`, `.gitignore`, corpus download scripts
+- **Phase 1 exit**: FP < 2%, passes unit tests + corpus
+## [0.2.1] — 2026-05-10
+- Version bump only; no functional changes
+## [0.2.0] — 2026-05-10
+- **Commander.js CLI** with `scan`, `scan-lockfile`, `report` commands
+- **ATK-001–007 detector stubs** via `backend/detectors/index.js` (`runAll`)
+- **SQLite persistence** via `better-sqlite3` — scan auto-save, report by ID/recent
+- **CycloneDX SBOM** — JSON and XML output with ATK vulnerability references
+- `.github/workflows/scan.yml` — GitHub Action example for PR scanning
+- Dependencies: `commander`, `adm-zip`, `acorn`, `node-fetch`
+## [0.1.0] — 2026-05-09
+- **Initial foundation**
+- Monorepo structure (`cli/`, `backend/`, `docker/`, `docs/`)
+- `LICENSING.md` — Apache-2.0 core + Commons Clause for premium features
+- `CONTRIBUTING.md`
+- `docs/attack-taxonomy.md` — ATK-001 through ATK-011 stubs
+- `backend/license.js` skeleton for HMAC-signed license key gating
+- `backend/db/schema.sql`
+- `docker/Dockerfile.cli` + `docker-compose.yml`
+- npm scripts (lint, test stubs)
+- `.github/workflows/ci.yml`
+- `AGENTS.md` — project instructions

package/README.de.md CHANGED Viewed

@@ -108,6 +108,25 @@ Kein Node.js. Kein `npm install`. Keine globalen Pakete. Funktioniert auf jedem
 ---
+## 🛡️ Behörden- & SOC 2 L2-bereit
+| Funktion | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+|----------|-------|--------------|--------------|
+| Audit-Protokolle (--audit-log) | CC6.8 | AU-2 | ✓ |
+| FIPS-Krypto (--fips) | CC6.1 | SC-13 | ✓ |
+| STIG-Bericht (--stig) | CC7.3 | RA-5 | ✓ |
+| Offline-Cache (--cache-dir) | A1.2 | SC-8 | ✓ |
+| Sigstore-Herleitung | CC6.2 | SI-7 | ✓ |
+| SBOM (SPDX/CycloneDX) | CC7.4 | SA-10 | ✓ |
+```bash
+# Vollständig konformer Scan in luftdichten Umgebungen
+npm-scan scan-lockfile --cache-dir /offline/cache --audit-log /var/log/npm-scan.audit --fips
+npm-scan report --stig
+```
+---
 ## 📖 Verwendungsbeispiele
 ### Ein einzelnes Paket scannen
@@ -123,6 +142,9 @@ npm-scan scan express --sbom spdx        # SPDX 2.3
 # Eine YAML-Policy anwenden
 npm-scan scan some-package --policy .npm-scan.yml
+# Lokales Tarball scannen (kein Registry-Abruf nötig)
+npm-scan scan --file path/to/malicious-package.tgz
 ```
 ### Eine Lock-Datei scannen
@@ -133,6 +155,18 @@ npm-scan scan-lockfile
 # Eine bestimmte Lock-Datei scannen
 npm-scan scan-lockfile -f ./path/to/package-lock.json
+# CI/CD bei hohen oder kritischen Problemen fehlschlagen (Exit-Code 1)
+npm-scan scan-lockfile --fail-on high
+# Bei allen Erkenntnissen fehlschlagen (low und höher)
+npm-scan scan-lockfile --fail-on low
+# SARIF v2.1-Ausgabe für GitHub Advanced Security / VS Code generieren
+npm-scan scan-lockfile --sarif results.sarif
+# Nur Risiko-Score ausgeben (0-10) für Dashboards/Schwellenwerte
+npm-scan scan-lockfile --score-only
 ```
 ### Berichte generieren
@@ -153,6 +187,10 @@ npm-scan report -i 42 --nist
 # EU-CRA-Compliance-Tabelle ausgeben
 npm-scan report --cra
+# CSV-Export für Excel / Sheets (audit-bereit)
+npm-scan report --csv risks.csv
+npm-scan scan lodash --csv          # CSV nach stdout
 # Textbericht (kostenlos)
 npm-scan report --text
@@ -576,6 +614,7 @@ node --test test/detectors-corpus.test.js
 ### Hilfe benötigt?
+- 🔒 Siehe [Sicherheitsrichtlinie](SECURITY.md) für die Offenlegung von Schwachstellen
 - 📖 Lesen Sie den [Projektplan](docs/project-plan.md)
 - 🧬 Überprüfen Sie die [Angriffstaxonomie](docs/attack-taxonomy.md)
 - 🐛 Öffnen Sie ein Issue oder PR
@@ -587,6 +626,19 @@ node --test test/detectors-corpus.test.js
 Apache-2.0 Core + Commons Clause.
 Siehe [`LICENSING.md`](LICENSING.md) für die genaue Grenze zwischen kostenlosen und Premium-Funktionen.
+---
+## 👤 Über den Maintainer
+**Roongrunchai Chongolnee** — Ersteller und Maintainer von `@lateos/npm-scan`. Zertifizierter Sicherheitsexperte (CISSP, CEH, Cisco Security, AWS Cloud Practitioner) mit einem Jahrzehnt Erfahrung in Infrastruktur- und Anwendungssicherheit bei Philips. Ich habe dieses Tool entwickelt, um der Open-Source-Community eine praktische, detektorgesteuerte Abwehr gegen Supply-Chain-Malware zu bieten — und ich bin bestrebt, es transparent, gemeinschaftseigen und kontinuierlich verbessert zu halten.
+[![LinkedIn](https://img.shields.io/badge/LinkedIn-0A66C2?style=flat-square&logo=linkedin)](https://www.linkedin.com/in/roongrunchai-chong-c-ab9742108/)
+[![GitHub](https://img.shields.io/badge/GitHub-lateos--ai-181717?style=flat-square&logo=github)](https://github.com/lateos-ai/npm-scan)
+Issues, Ideen und Pull-Requests sind immer willkommen — Sicherheit ist am stärksten, wenn wir zusammenarbeiten.
+---
 ```
 @lateos/npm-scan — npm supply chain security scanner
 Copyright (C) 2026 Lateos

package/README.fr.md CHANGED Viewed

@@ -108,6 +108,25 @@ Pas de Node.js. Pas de `npm install`. Pas de paquets globaux. Fonctionne sur tou
 ---
+## 🛡️ Prêt pour le Gouvernement et SOC 2 L2
+| Fonctionnalité | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+|----------------|-------|--------------|--------------|
+| Journaux d'audit (--audit-log) | CC6.8 | AU-2 | ✓ |
+| Crypto FIPS (--fips) | CC6.1 | SC-13 | ✓ |
+| Rapport STIG (--stig) | CC7.3 | RA-5 | ✓ |
+| Cache hors ligne (--cache-dir) | A1.2 | SC-8 | ✓ |
+| Provenance Sigstore | CC6.2 | SI-7 | ✓ |
+| SBOM (SPDX/CycloneDX) | CC7.4 | SA-10 | ✓ |
+```bash
+# Scan conforme en environnement hermétique
+npm-scan scan-lockfile --cache-dir /offline/cache --audit-log /var/log/npm-scan.audit --fips
+npm-scan report --stig
+```
+---
 ## 📖 Exemples d'utilisation
 ### Scanner un seul paquet
@@ -123,6 +142,9 @@ npm-scan scan express --sbom spdx        # SPDX 2.3
 # Appliquer une politique YAML
 npm-scan scan some-package --policy .npm-scan.yml
+# Scanner un fichier tarball local (pas de téléchargement depuis le registre)
+npm-scan scan --file path/to/malicious-package.tgz
 ```
 ### Scanner un fichier de verrouillage
@@ -133,6 +155,18 @@ npm-scan scan-lockfile
 # Scanner un fichier de verrouillage spécifique
 npm-scan scan-lockfile -f ./path/to/package-lock.json
+# Échouer en CI/CD sur les découvertes de severity haute ou critique (code de sortie 1)
+npm-scan scan-lockfile --fail-on high
+# Échouer sur toute découverte (low et au-delà)
+npm-scan scan-lockfile --fail-on low
+# Générer une sortie SARIF v2.1 pour GitHub Advanced Security / VS Code
+npm-scan scan-lockfile --sarif results.sarif
+# Afficher uniquement le score de risque (0-10) pour les tableaux de bord/seuils
+npm-scan scan-lockfile --score-only
 ```
 ### Générer des rapports
@@ -153,6 +187,10 @@ npm-scan report -i 42 --nist
 # Afficher le tableau de conformité EU CRA
 npm-scan report --cra
+# Export CSV pour Excel / Sheets (prêt pour audit)
+npm-scan report --csv risks.csv
+npm-scan scan lodash --csv          # CSV vers stdout
 # Rapport texte (gratuit)
 npm-scan report --text
@@ -576,6 +614,7 @@ node --test test/detectors-corpus.test.js
 ### Besoin d'aide ?
+- 🔒 Voir la [politique de sécurité](SECURITY.md) pour la divulgation des vulnérabilités
 - 📖 Lire le [plan du projet](docs/project-plan.md)
 - 🧬 Consulter la [taxonomie des attaques](docs/attack-taxonomy.md)
 - 🐛 Ouvrir une issue ou une PR
@@ -587,6 +626,19 @@ node --test test/detectors-corpus.test.js
 Apache-2.0 core + Commons Clause.
 Voir [`LICENSING.md`](LICENSING.md) pour la limite exacte entre les fonctionnalités gratuites et premium.
+---
+## 👤 À propos du mainteneur
+**Roongrunchai Chongolnee** — créateur et mainteneur de `@lateos/npm-scan`. Professionnel de la sécurité certifié (CISSP, CEH, Cisco Security, AWS Cloud Practitioner) avec une décennie d'expérience en sécurité des infrastructures et des applications chez Philips. J'ai construit cet outil pour offrir à la communauté open-source une défense pratique et pilotée par des détecteurs contre les logiciels malveillants de la chaîne d'approvisionnement — et je m'engage à le maintenir transparent, détenu par la communauté et en amélioration continue.
+[![LinkedIn](https://img.shields.io/badge/LinkedIn-0A66C2?style=flat-square&logo=linkedin)](https://www.linkedin.com/in/roongrunchai-chong-c-ab9742108/)
+[![GitHub](https://img.shields.io/badge/GitHub-lateos--ai-181717?style=flat-square&logo=github)](https://github.com/lateos-ai/npm-scan)
+Les issues, idées et pull requests sont toujours les bienvenus — la sécurité est plus forte quand nous collaborons.
+---
 ```
 @lateos/npm-scan — npm supply chain security scanner
 Copyright (C) 2026 Lateos

package/README.ja.md CHANGED Viewed

@@ -108,6 +108,25 @@ Node.js不要。`npm install`不要。グローバルパッケージ不要。Doc
 ---
+## 🛡️ 政府機関・SOC 2 L2 対応
+| 機能 | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+|------|-------|--------------|--------------|
+| 監査ログ (--audit-log) | CC6.8 | AU-2 | ✓ |
+| FIPS暗号化 (--fips) | CC6.1 | SC-13 | ✓ |
+| STIGレポート (--stig) | CC7.3 | RA-5 | ✓ |
+| オフラインキャッシュ (--cache-dir) | A1.2 | SC-8 | ✓ |
+| Sigstoreプロvenes | CC6.2 | SI-7 | ✓ |
+| SBOM (SPDX/CycloneDX) | CC7.4 | SA-10 | ✓ |
+```bash
+# エアギャップ環境での完全なコンプライアンススキャンを実行
+npm-scan scan-lockfile --cache-dir /offline/cache --audit-log /var/log/npm-scan.audit --fips
+npm-scan report --stig
+```
+---
 ## 📖 使用例
 ### 単一パッケージのスキャン
@@ -123,6 +142,9 @@ npm-scan scan express --sbom spdx        # SPDX 2.3
 # YAMLポリシーを適用
 npm-scan scan some-package --policy .npm-scan.yml
+# ローカルtarballをスキャン（レジストリからの取得不要）
+npm-scan scan --file path/to/malicious-package.tgz
 ```
 ### ロックファイルのスキャン
@@ -133,6 +155,18 @@ npm-scan scan-lockfile
 # 特定のロックファイルをスキャン
 npm-scan scan-lockfile -f ./path/to/package-lock.json
+# 高重大または致命的な問題でCI/CDを失敗させる（終了コード1）
+npm-scan scan-lockfile --fail-on high
+# 任何の発見項目でビルドを失敗させる（low以上）
+npm-scan scan-lockfile --fail-on low
+# SARIF v2.1出力を生成（GitHub Advanced Security / VS Code向け）
+npm-scan scan-lockfile --sarif results.sarif
+# リスクスコアのみを出力（0-10）（ダッシュボード/閾値向け）
+npm-scan scan-lockfile --score-only
 ```
 ### レポートの生成
@@ -576,6 +610,7 @@ node --test test/detectors-corpus.test.js
 ### ヘルプが必要ですか？
+- 🔒 [セキュリティポリシー](SECURITY.md)で脆弱性の開示方法を確認
 - 📖 [プロジェクト計画](docs/project-plan.md)を読む
 - 🧬 [攻撃分類](docs/attack-taxonomy.md)を確認
 - 🐛 IssueまたはPRを開く
@@ -587,6 +622,19 @@ node --test test/detectors-corpus.test.js
 Apache-2.0コア＋Commons Clause。
 無料版とプレミアム版機能の正確な境界については[`LICENSING.md`](LICENSING.md)を参照してください。
+---
+## 👤 メンテナーについて
+**Roongrunchai Chongolnee** — `@lateos/npm-scan` の作成者兼メンテナー。CISSP、CEH、Cisco Security、AWS Cloud Practitioner の認定を持つセキュリティ専門家で、Philips で10年間のインフラおよびアプリケーションセキュリティの経験があります。このツールは、オープンソースコミュニティに実用的で検出器駆動型のサプライチェーン型マルウェア防御を提供するために構築しました。透明性、コミュニティ所有、継続的改善に取り組んでいます。
+[![LinkedIn](https://img.shields.io/badge/LinkedIn-0A66C2?style=flat-square&logo=linkedin)](https://www.linkedin.com/in/roongrunchai-chong-c-ab9742108/)
+[![GitHub](https://img.shields.io/badge/GitHub-lateos--ai-181717?style=flat-square&logo=github)](https://github.com/lateos-ai/npm-scan)
+Issue、アイデア、PRはいつでも歓迎します——セキュリティは協力によって最も強力になります。
+---
 ```
 @lateos/npm-scan — npm supply chain security scanner
 Copyright (C) 2026 Lateos

package/README.md CHANGED Viewed

@@ -107,17 +107,25 @@ No Node.js. No `npm install`. No global packages. Works on any system with Docke
 ---
-## 🐳 Run @lateos/npm-scan anywhere with Docker — zero installation
+## 🛡️ Government & SOC 2 L2 Ready
-```bash
-# Pull and run a single scan — no Node.js or npm required
-docker run --rm ghcr.io/lateos/npm-scan:cli scan lodash
+| Feature | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+|---------|-------|--------------|--------------|
+| Audit logs (--audit-log) | CC6.8 | AU-2 | ✓ |
+| FIPS crypto (--fips) | CC6.1 | SC-13 | ✓ |
+| STIG report (--stig) | CC7.3 | RA-5 | ✓ |
+| Offline cache (--cache-dir) | A1.2 | SC-8 | ✓ |
+| Sigstore provenance | CC6.2 | SI-7 | ✓ |
+| SBOM (SPDX/CycloneDX) | CC7.4 | SA-10 | ✓ |
-# Full pipeline with persistent storage and Compose
-docker compose --profile pipeline up -d
+```bash
+# Air-gapped scan with full compliance
+npm-scan scan-lockfile --cache-dir /offline/cache --audit-log /var/log/npm-scan.audit --fips
+npm-scan report --stig
 ```
-No Node.js. No `npm install`. No global packages. Works on any system with Docker — CI servers, air-gapped environments, Kubernetes clusters. Multi-arch images for `linux/amd64` and `linux/arm64`.
+[![SOC 2 L2](https://img.shields.io/badge/SOC%202-L2-green?style=flat-square&logo=aicpa)](https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html)
+[![FedRAMP](https://img.shields.io/badge/FedRAMP-Moderate-blue?style=flat-square)](https://fedramp.gov/)
 ---
@@ -136,6 +144,9 @@ npm-scan scan express --sbom spdx        # SPDX 2.3
 # Apply a YAML policy
 npm-scan scan some-package --policy .npm-scan.yml
+# Scan a local tarball (no registry fetch needed)
+npm-scan scan --file path/to/malicious-package.tgz
 ```
 ### Scan a lockfile
@@ -146,6 +157,18 @@ npm-scan scan-lockfile
 # Scan a specific lockfile
 npm-scan scan-lockfile -f ./path/to/package-lock.json
+# Fail CI/CD on high or critical findings (exit code 1)
+npm-scan scan-lockfile --fail-on high
+# Fail on any findings (low and above)
+npm-scan scan-lockfile --fail-on low
+# Generate SARIF v2.1 output for GitHub Advanced Security / VS Code
+npm-scan scan-lockfile --sarif results.sarif
+# Output only risk score (0-10) for dashboards/thresholds
+npm-scan scan-lockfile --score-only
 ```
 ### Generate reports
@@ -166,6 +189,10 @@ npm-scan report -i 42 --nist
 # Print EU CRA compliance table
 npm-scan report --cra
+# CSV export for Excel / Sheets (audit-ready)
+npm-scan report --csv risks.csv
+npm-scan scan lodash --csv          # CSV to stdout
 # Text report (free)
 npm-scan report --text
@@ -589,6 +616,7 @@ node --test test/detectors-corpus.test.js
 ### Need help?
+- 🔒 See [security policy](SECURITY.md) for vulnerability disclosure
 - 📖 Read the [project plan](docs/project-plan.md)
 - 🧬 Review the [attack taxonomy](docs/attack-taxonomy.md)
 - 🐛 Open an issue or PR
@@ -600,6 +628,19 @@ node --test test/detectors-corpus.test.js
 Apache-2.0 core + Commons Clause.
 See [`LICENSING.md`](LICENSING.md) for the exact boundary between free and premium features.
+---
+## 👤 About the Maintainer
+**Roongrunchai Chongolnee** — creator and maintainer of `@lateos/npm-scan`. Certified security professional (CISSP, CEH, Cisco Security, AWS Cloud Practitioner) with a decade of infrastructure and application security experience at Philips. I built this tool to give the open-source community a practical, detector-driven defense against supply-chain malware — and I'm committed to keeping it transparent, community-owned, and continuously improved.
+[![LinkedIn](https://img.shields.io/badge/LinkedIn-0A66C2?style=flat-square&logo=linkedin)](https://www.linkedin.com/in/roongrunchai-chong-c-ab9742108/)
+[![GitHub](https://img.shields.io/badge/GitHub-lateos--ai-181717?style=flat-square&logo=github)](https://github.com/lateos-ai/npm-scan)
+Issues, ideas, and pull requests are always welcome — security is strongest when we collaborate.
+---
 ```
 @lateos/npm-scan — npm supply chain security scanner
 Copyright (C) 2026 Lateos

package/README.zh.md CHANGED Viewed

@@ -108,6 +108,25 @@ docker compose --profile pipeline up -d
 ---
+## 🛡️ 政府与 SOC 2 L2 就绪
+| 功能 | SOC 2 | NIST 800-161 | STIG/FedRAMP |
+|------|-------|--------------|--------------|
+| 审计日志 (--audit-log) | CC6.8 | AU-2 | ✓ |
+| FIPS 加密 (--fips) | CC6.1 | SC-13 | ✓ |
+| STIG 报告 (--stig) | CC7.3 | RA-5 | ✓ |
+| 离线缓存 (--cache-dir) | A1.2 | SC-8 | ✓ |
+| Sigstore 溯源 | CC6.2 | SI-7 | ✓ |
+| SBOM (SPDX/CycloneDX) | CC7.4 | SA-10 | ✓ |
+```bash
+# 气隙环境下的完整合规扫描
+npm-scan scan-lockfile --cache-dir /offline/cache --audit-log /var/log/npm-scan.audit --fips
+npm-scan report --stig
+```
+---
 ## 📖 使用示例
 ### 扫描单个包
@@ -123,6 +142,9 @@ npm-scan scan express --sbom spdx        # SPDX 2.3
 # 应用 YAML 策略
 npm-scan scan some-package --policy .npm-scan.yml
+# 扫描本地 tarball（无需从注册表获取）
+npm-scan scan --file path/to/malicious-package.tgz
 ```
 ### 扫描锁定文件
@@ -133,6 +155,18 @@ npm-scan scan-lockfile
 # 扫描特定锁定文件
 npm-scan scan-lockfile -f ./path/to/package-lock.json
+# 在高危或严重问题时使 CI/CD 失败（退出码 1）
+npm-scan scan-lockfile --fail-on high
+# 任何发现项都使构建失败（low 及以上）
+npm-scan scan-lockfile --fail-on low
+# 生成 SARIF v2.1 输出，用于 GitHub Advanced Security / VS Code
+npm-scan scan-lockfile --sarif results.sarif
+# 仅输出风险分数（0-10）用于仪表板/阈值
+npm-scan scan-lockfile --score-only
 ```
 ### 生成报告
@@ -153,6 +187,10 @@ npm-scan report -i 42 --nist
 # 打印 EU CRA 合规表格
 npm-scan report --cra
+# CSV 导出用于 Excel / Sheets（审计就绪）
+npm-scan report --csv risks.csv
+npm-scan scan lodash --csv          # CSV 输出到标准输出
 # 文本报告（免费）
 npm-scan report --text
@@ -576,6 +614,7 @@ node --test test/detectors-corpus.test.js
 ### 需要帮助？
+- 🔒 查看[安全策略](SECURITY.md)了解漏洞披露流程
 - 📖 阅读[项目计划](docs/project-plan.md)
 - 🧬 查看[攻击分类](docs/attack-taxonomy.md)
 - 🐛 提交 issue 或 PR
@@ -587,6 +626,19 @@ node --test test/detectors-corpus.test.js
 Apache-2.0 核心 + Commons Clause。
 请参阅 [`LICENSING.md`](LICENSING.md) 了解免费版和高级版功能之间的确切界限。
+---
+## 👤 关于维护者
+**Roongrunchai Chongolnee** — `@lateos/npm-scan` 的创建者和维护者。持有 CISSP、CEH、思科安全、AWS 云从业者认证的安全专业人士，在飞利浦拥有十年的基础设施和应用安全经验。我构建这个工具是为了让开源社区拥有一个实用、检测器驱动的供应链恶意软件防御方案——我致力于保持其透明、社区拥有和持续改进。
+[![LinkedIn](https://img.shields.io/badge/LinkedIn-0A66C2?style=flat-square&logo=linkedin)](https://www.linkedin.com/in/roongrunchai-chong-c-ab9742108/)
+[![GitHub](https://img.shields.io/badge/GitHub-lateos--ai-181717?style=flat-square&logo=github)](https://github.com/lateos-ai/npm-scan)
+欢迎提交 issue、想法和 PR——安全在协作中最强大。
+---
 ```
 @lateos/npm-scan — npm supply chain security scanner
 Copyright (C) 2026 Lateos

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,73 @@
+# Security Policy
+## Supported Versions
+Only the **latest published minor version** on npm receives security patches. Keep `@lateos/npm-scan` up to date:
+```bash
+npm update -g @lateos/npm-scan
+```
+| Version | Supported |
+|---------|-----------|
+| 0.9.x   | ✅ Active |
+| < 0.9   | ❌       |
+## Reporting a Vulnerability
+Use **GitHub Private Vulnerability Reporting**:
+1. Go to [github.com/lateos-ai/npm-scan/security/advisories/new](https://github.com/lateos-ai/npm-scan/security/advisories/new)
+2. Describe the vulnerability in detail (ideally with a proof of concept)
+3. Allow **72 hours** for an initial acknowledgment
+For encrypted follow-up outside of GitHub, use our PGP key:
+```
+Fingerprint: 1BC6 998B 879B BDE0 D778  629E D9CF F5EF 1F7C 557B
+Key ID:      1F7C557B
+Email:       leo@lateos.ai
+```
+## Scope
+**In scope:**
+- Detector logic (ATK-001 through ATK-011)
+- Code execution in the scanner engine (`backend/fetch.js`, `cli/cli.js`)
+- CI/CD pipeline and publish process (provenance bypass, supply chain)
+- Configuration injection via `policy.yaml` or command-line flags
+**Out of scope:**
+- CVEs in third-party dependencies — report upstream
+- Vulnerabilities in the npm registry itself — report to npm
+- Malicious packages detected by the scanner (that's working as designed)
+## Security Practices
+`@lateos/npm-scan` follows these practices to protect its own supply chain:
+- **Sigstore provenance** on every npm publish — verifiable via `npm view @lateos/npm-scan provenance`
+- **Self-scanning in CI** — every commit scans the project's own `package-lock.json` for the full ATK taxonomy
+- **SBOM per release** — CycloneDX and SPDX 2.3 Bill of Materials published with every version
+- **2FA** enforced on the npm publisher account
+- **Docker multi-arch images** signed and pushed via CI, not manually
+- **All code public** — no security-by-obscurity
+## Self-Scanning
+As a supply chain security scanner, `@lateos/npm-scan` dogfoods its own detectors. Every CI run executes:
+```bash
+npx @lateos/npm-scan scan-lockfile --fail-on medium
+```
+If a future update to a dependency triggers one of our detectors (e.g., typosquat, obfuscated lifecycle script), the build **fails** before the change reaches npm.
+## Safe Harbor
+We consider security research conducted under this policy as authorized and will not pursue legal action against researchers who:
+- Report vulnerabilities through GitHub Private Vulnerability Reporting
+- Do not access or modify user data beyond what's necessary to demonstrate the vulnerability
+- Do not exploit the vulnerability beyond demonstrating it
+- Act in good faith to improve the security of the project

package/backend/fetch.js CHANGED Viewed

@@ -6,7 +6,18 @@ import zlib from 'zlib';
 import { Readable } from 'stream';
 import { pipeline } from 'stream/promises';
-export async function fetchPackage(target) {
+export async function fetchPackage(target, options = {}) {
+  const { cacheDir, cacheTTL = 604800, cacheMaxSize = 1000000000 } = options;
+  // Check cache if enabled
+  if (cacheDir) {
+    const cached = getFromCache(cacheDir, target, cacheTTL);
+    if (cached) {
+      const tmpDir = path.join(os.tmpdir(), 'npm-scan-cache-' + Date.now());
+      return { ...(await extractTarball(cached, tmpDir)), meta: null };
+    }
+  }
   const metaRes = await fetch(`https://registry.npmjs.org/${target}/latest`);
   const meta = await metaRes.json();
@@ -19,7 +30,95 @@ export async function fetchPackage(target) {
   const buffer = Buffer.from(await tarRes.arrayBuffer());
   if (buffer.length > 500 * 1024 * 1024) throw new Error('Tarball too large');
+  // Save to cache if enabled
+  if (cacheDir) {
+    saveToCache(cacheDir, target, buffer, cacheTTL, cacheMaxSize);
+  }
   const tmpDir = path.join(os.tmpdir(), 'npm-scan-' + Date.now());
+  return { ...(await extractTarball(buffer, tmpDir)), meta };
+}
+function getFromCache(cacheDir, target, ttl) {
+  const cachePath = path.join(cacheDir, `${target.replace('/', '-')}.tgz`);
+  const metaPath = path.join(cacheDir, `${target.replace('/', '-')}.meta.json`);
+  try {
+    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) return null;
+    const meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
+    const age = (Date.now() - meta.timestamp) / 1000;
+    if (age > ttl) {
+      fs.unlinkSync(cachePath);
+      fs.unlinkSync(metaPath);
+      return null;
+    }
+    return fs.readFileSync(cachePath);
+  } catch {
+    return null;
+  }
+}
+function saveToCache(cacheDir, target, buffer, ttl, maxSize) {
+  try {
+    if (!fs.existsSync(cacheDir)) {
+      fs.mkdirSync(cacheDir, { recursive: true });
+    }
+    // Prune if needed
+    pruneCache(cacheDir, maxSize);
+    const safeName = target.replace('/', '-');
+    const cachePath = path.join(cacheDir, `${safeName}.tgz`);
+    const metaPath = path.join(cacheDir, `${safeName}.meta.json`);
+    fs.writeFileSync(cachePath, buffer);
+    fs.writeFileSync(metaPath, JSON.stringify({ timestamp: Date.now(), size: buffer.length }));
+  } catch (e) {
+    // Cache write failure - continue without caching
+  }
+}
+function pruneCache(cacheDir, maxSize) {
+  try {
+    const files = fs.readdirSync(cacheDir).filter(f => f.endsWith('.meta.json'));
+    let totalSize = 0;
+    const fileInfos = [];
+    for (const f of files) {
+      const meta = JSON.parse(fs.readFileSync(path.join(cacheDir, f), 'utf8'));
+      const tarFile = f.replace('.meta.json', '.tgz');
+      const size = meta.size || 0;
+      totalSize += size;
+      fileInfos.push({ tarFile, metaFile: f, timestamp: meta.timestamp, size });
+    }
+    if (totalSize > maxSize) {
+      // Sort by oldest first and remove until under limit
+      fileInfos.sort((a, b) => a.timestamp - b.timestamp);
+      for (const info of fileInfos) {
+        if (totalSize <= maxSize * 0.8) break; // Leave 20% margin
+        try {
+          fs.unlinkSync(path.join(cacheDir, info.tarFile));
+          fs.unlinkSync(path.join(cacheDir, info.metaFile));
+          totalSize -= info.size;
+        } catch {}
+      }
+    }
+  } catch {
+    // Prune failure - ignore
+  }
+}
+export async function scanLocalTarball(filePath) {
+  const buffer = fs.readFileSync(filePath);
+  const tmpDir = path.join(os.tmpdir(), 'npm-scan-local-' + Date.now());
+  return await extractTarball(buffer, tmpDir);
+}
+async function extractTarball(buffer, tmpDir) {
   fs.mkdirSync(tmpDir, { recursive: true });
   const stream = Readable.from(buffer);

package/backend/report.js CHANGED Viewed

@@ -155,4 +155,101 @@ function generateNistTable(scans) {
 <thead><tr><th>NIST Control</th><th>Control Title</th><th>Status</th><th>ATK ID</th></tr></thead>
 <tbody>${rows}</tbody>
 </table>`;
+}
+export function generateSARIF(scan, format = 'json') {
+  const findings = scan.findings || [];
+  const runs = [{
+    tool: {
+      driver: {
+        name: 'npm-scan',
+        version: '0.9.7',
+        informationUri: 'https://github.com/lateos-ai/npm-scan',
+        rules: Array.from(new Set(findings.map(f => f.id))).map(id => ({
+          id,
+          name: `ATK-${id.replace('ATK-', '')}`,
+          shortDescription: { text: findings.find(f => f.id === id)?.title || id },
+          fullDescription: { text: findings.find(f => f.id === id)?.description || '' },
+          defaultConfiguration: { enabled: true }
+        }))
+      }
+    },
+    results: findings.map(f => {
+      const severityMap = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
+      return {
+        ruleId: f.id,
+        level: severityMap[f.severity] || 'note',
+        message: { text: f.description || f.title },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: { uri: f.evidence || 'unknown' },
+            region: { startLine: 1, startColumn: 1 }
+          }
+        }]
+      };
+    })
+  }];
+  const sarif = {
+    version: '2.1.0',
+    schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    runs
+  };
+  return format === 'pretty' ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
+}
+export function generateCSV(scans) {
+  const headers = 'id,severity,title,description,evidence,package_name,version\n';
+  const rows = (scans || []).flatMap(s =>
+    (s.findings || []).map(f => [
+      f.id,
+      f.severity || '',
+      (f.title || '').replace(/,/g, ';'),
+      (f.description || '').replace(/,/g, ';'),
+      (f.evidence || '').replace(/,/g, ';'),
+      s.package_name || '',
+      s.version || ''
+    ].join(','))
+  ).join('\n');
+  return headers + rows;
+}
+export function calculateRiskScore(findings, totalPackages = 1) {
+  const weights = { low: 1, medium: 3, high: 7, critical: 10 };
+  const rawScore = findings.reduce((sum, f) => sum + (weights[f.severity] || 0), 0) / totalPackages;
+  return Math.min(rawScore, 10).toFixed(1);
+}
+const STIG_MAP = {
+  'SRG-APP-000141': { title: 'Application Malware Detection', atk: 'ATK-001', desc: 'Lifecycle script detection' },
+  'SRG-APP-000142': { title: 'Application Code Obfuscation', atk: 'ATK-002', desc: 'Obfuscated payload detection' },
+  'SRG-APP-000143': { title: 'Credential Harvesting', atk: 'ATK-003', desc: 'Credential exfiltration detection' },
+  'SRG-APP-000144': { title: 'Persistence Mechanisms', atk: 'ATK-004', desc: 'Malicious persistence detection' },
+  'SRG-APP-000145': { title: 'Data Exfiltration', atk: 'ATK-005', desc: 'Network exfiltration detection' },
+  'SRG-APP-000146': { title: 'Dependency Confusion', atk: 'ATK-006', desc: 'Internal package detection' },
+  'SRG-APP-000147': { title: 'Typosquatting', atk: 'ATK-007', desc: 'Malicious package name detection' },
+  'SRG-APP-000148': { title: 'Tarball Tampering', atk: 'ATK-008', desc: 'Modified package detection' },
+  'SRG-APP-000149': { title: 'Dormant Triggers', atk: 'ATK-009', desc: 'Conditional execution detection' },
+  'SRG-APP-000150': { title: 'Sandbox Evasion', atk: 'ATK-010', desc: 'Environment detection evasion' },
+  'SRG-APP-000151': { title: 'Transitive Propagation', atk: 'ATK-011', desc: 'Dependency chain attacks' }
+};
+export function generateSTIG(scans) {
+  const rows = [];
+  for (const [stigId, info] of Object.entries(STIG_MAP)) {
+    const findings = scans.flatMap(s => (s.findings || []).filter(f => f.id === info.atk));
+    const status = findings.length > 0 ? 'NOT APPLICABLE' : 'COMPLETE';
+    const findingsList = findings.map(f => `${f.severity.toUpperCase()}: ${f.title}`).join('; ') || 'None';
+    rows.push(`| ${stigId} | ${info.title} | ${status} | ${findingsList} |`);
+  }
+  return `# STIG Compliance Report
+Generated: ${new Date().toISOString()}
+| STIG ID | Control Title | Status | Findings |
+|---------|--------------|--------|----------|
+${rows.join('\n')}
+---
+*This report maps application security controls to DISA STIG requirements.*`;
 }

package/cli/cli.js CHANGED Viewed

@@ -15,51 +15,124 @@ function requirePremium(feature, licenseKey) {
 const program = new Command()
   .name('npm-scan')
   .description('npm supply chain security scanner')
-  .version('0.9.0');
+  .version('0.9.7');
 program
   .command('scan')
   .description('Scan a package')
-  .argument('<target>', 'package name')
+  .argument('[target]', 'package name')
+  .option('-f, --file <path>', 'local tarball path')
   .option('-l, --license-key <key>', 'Premium license')
   .option('--sbom [format]', 'Generate SBOM (json/xml/spdx)')
   .option('-p, --policy <path>', 'Policy file (YAML/JSON)')
+  .option('--fail-on <level>', 'Exit with code 1 if findings >= level (low|medium|high|critical)', 'none')
+  .option('--sarif [file]', 'Output SARIF v2.1 format to file or stdout')
+  .option('--csv [file]', 'Output CSV format to file or stdout')
+  .option('--score-only', 'Output only the risk score (0-10)')
+  .option('--audit-log <file>', 'Append scan record to immutable audit log (JSONL format)')
+  .option('--fips', 'Enable FIPS 140-2/3 crypto mode (requires FIPS-enabled Node.js)')
+  .option('--cache-dir <path>', 'Cache directory for offline/air-gapped scans')
+  .option('--cache-ttl <seconds>', 'Cache TTL in seconds (default: 604800 = 7 days)', '604800')
+  .option('--cache-size <bytes>', 'Max cache size in bytes (default: 1GB)', '1000000000')
   .action(async (target, options) => {
     try {
+      if (options.fips) {
+        process.env.NODE_OPTIONS = (process.env.NODE_OPTIONS || '') + ' --enable-fips';
+      }
+      const fetchOptions = {
+        cacheDir: options.cacheDir,
+        cacheTTL: parseInt(options.cacheTtl || '604800'),
+        cacheMaxSize: parseInt(options.cacheSize || '1000000000')
+      };
+      if (!target && !options.file) {
+        console.error('Error: specify a package name or --file <path>');
+        process.exit(1);
+      }
       const policy = options.policy
         ? await import('../backend/policy.js').then(m => m.loadPolicy(options.policy))
         : null;
       if (policy) {
         const { isAllowed } = await import('../backend/policy.js');
-        if (isAllowed(target, policy)) {
+        if (target && isAllowed(target, policy)) {
           console.log(JSON.stringify({ scanId: null, findings: [], skipped: true, reason: `Package '${target}' is in policy allowlist` }));
           return;
         }
       }
-      const { pkgJson, jsFiles, tmpDir } = await import('../backend/fetch.js').then(m => m.fetchPackage(target));
+      const { pkgJson, jsFiles, tmpDir } = options.file
+        ? await import('../backend/fetch.js').then(m => m.scanLocalTarball(options.file))
+        : await import('../backend/fetch.js').then(m => m.fetchPackage(target, fetchOptions));
+      const pkgName = target || pkgJson.name || 'unknown';
       const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles));
       const { saveScan } = await import('../backend/db.js');
-      const scanId = await saveScan(target, 'latest', findings);
+      const scanId = await saveScan(pkgName, 'latest', findings);
       let outputFindings = findings;
       let blocked = false;
       if (policy) {
         const { applyPolicy } = await import('../backend/policy.js');
-        const result = applyPolicy(findings, target, policy);
+        const result = applyPolicy(findings, pkgName, policy);
         outputFindings = result.findings;
         blocked = result.blocked;
       }
-      if (options.sbom) {
+      const { calculateRiskScore } = await import('../backend/report.js');
+      const riskScore = calculateRiskScore(outputFindings);
+      if (options.scoreOnly) {
+        console.log(riskScore);
+        import('../backend/fetch.js').then(m => m.cleanup(tmpDir));
+        return;
+      }
+      if (options.sarif) {
+        const { generateSARIF } = await import('../backend/report.js');
+        const scan = { package_name: pkgName, version: pkgJson.version || 'latest', findings: outputFindings };
+        const sarifOutput = generateSARIF(scan);
+        if (options.sarif === true || !options.sarif) {
+          console.log(sarifOutput);
+        } else {
+          const { writeFileSync } = await import('fs');
+          writeFileSync(options.sarif, sarifOutput);
+          console.log(`SARIF output written to ${options.sarif}`);
+        }
+      } else if (options.csv) {
+        const { generateCSV } = await import('../backend/report.js');
+        const scan = { package_name: pkgName, version: pkgJson.version || 'latest', findings: outputFindings };
+        const csvOutput = generateCSV([scan]);
+        if (options.csv === true || !options.csv) {
+          console.log(csvOutput);
+        } else {
+          const { writeFileSync } = await import('fs');
+          writeFileSync(options.csv, csvOutput);
+          console.log(`CSV output written to ${options.csv}`);
+        }
+      } else if (options.sbom) {
         const { generateSBOM } = await import('../backend/sbom.js');
-        const pkg = { name: target, version: pkgJson.version || 'latest' };
+        const pkg = { name: pkgName, version: pkgJson.version || 'latest' };
         const sbom = generateSBOM(pkg, outputFindings, options.sbom === true ? 'json' : options.sbom);
         console.log(sbom);
       } else {
-        console.log(JSON.stringify({scanId, findings: outputFindings, blocked}, null, 2));
+        console.log(JSON.stringify({scanId, findings: outputFindings, blocked, riskScore}, null, 2));
+      }
+      if (options.auditLog) {
+        const { writeFileSync, appendFileSync } = await import('fs');
+        const entry = {
+          timestamp: new Date().toISOString(),
+          command: `scan ${target || options.file}`,
+          package: pkgName,
+          version: pkgJson.version || 'latest',
+          riskScore,
+          findingsCount: outputFindings.length,
+          exitCode: 0
+        };
+        appendFileSync(options.auditLog, JSON.stringify(entry) + '\n');
       }
       if (blocked) {
@@ -67,6 +140,16 @@ program
         process.exit(1);
       }
+      if (options.failOn !== 'none') {
+        const severityLevels = { low: 1, medium: 2, high: 3, critical: 4 };
+        const failLevel = severityLevels[options.failOn] || 0;
+        const hasBlockingFindings = outputFindings.some(f => (severityLevels[f.severity] || 0) >= failLevel);
+        if (hasBlockingFindings) {
+          console.error(`Fail: findings with severity >= ${options.failOn} detected`);
+          process.exit(1);
+        }
+      }
       import('../backend/fetch.js').then(m => m.cleanup(tmpDir));
     } catch (e) {
       console.error(e.message);
@@ -78,6 +161,9 @@ program
   .command('scan-lockfile')
   .description('Scan package-lock.json')
   .option('-f, --file <path>', 'lockfile path', 'package-lock.json')
+  .option('--fail-on <level>', 'Exit with code 1 if findings >= level (low|medium|high|critical)', 'none')
+  .option('--csv [file]', 'Output CSV format to file or stdout')
+  .option('--sarif [file]', 'Output SARIF v2.1 format to file or stdout')
   .action((options) => {
     console.log('Scanning lockfile:', options.file);
   });
@@ -89,8 +175,10 @@ program
   .option('--sbom [format]', 'SBOM format (json/xml/spdx)')
   .option('--html', 'HTML report')
   .option('--text', 'Plain text report')
+  .option('--csv [file]', 'CSV export to file or stdout')
   .option('--nist', 'NIST 800-161 compliance report')
   .option('--cra', 'EU CRA compliance report')
+  .option('--stig', 'STIG compliance report (DISA SRG-APP)')
   .option('--siem <format>', 'SIEM format (cef|ecs|sentinel|qradar)')
   .option('--pdf', 'PDF report (premium)')
   .option('-o, --output <path>', 'Output file path')
@@ -133,6 +221,10 @@ program
         const { generateHTML } = await import('../backend/report.js');
         const html = generateHTML(scan ? [scan] : []);
         console.log(html);
+      } else if (options.stig) {
+        const { generateSTIG } = await import('../backend/report.js');
+        const stig = generateSTIG(scan ? [scan] : []);
+        console.log(stig);
       } else {
         console.log(JSON.stringify(findings, null, 2));
       }
@@ -163,6 +255,10 @@ program
         const { generateHTML } = await import('../backend/report.js');
         const html = generateHTML(scansWithFindings);
         console.log(html);
+      } else if (options.stig) {
+        const { generateSTIG } = await import('../backend/report.js');
+        const stig = generateSTIG(scansWithFindings);
+        console.log(stig);
       } else {
         console.log('Recent scans:', JSON.stringify(scans, null, 2));
       }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.9.6",
+  "version": "0.9.9",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {