@lateos/npm-scan 0.9.7 → 0.10.0

package/SECURITY.md

@@ -0,0 +1,73 @@
+# Security Policy
+
+## Supported Versions
+
+Only the **latest published minor version** on npm receives security patches. Keep `@lateos/npm-scan` up to date:
+
+```bash
+npm update -g @lateos/npm-scan
+```
+
+| Version | Supported |
+|---------|-----------|
+| 0.9.x   | ✅ Active |
+| < 0.9   | ❌       |
+
+## Reporting a Vulnerability
+
+Use **GitHub Private Vulnerability Reporting**:
+
+1. Go to [github.com/lateos-ai/npm-scan/security/advisories/new](https://github.com/lateos-ai/npm-scan/security/advisories/new)
+2. Describe the vulnerability in detail (ideally with a proof of concept)
+3. Allow **72 hours** for an initial acknowledgment
+
+For encrypted follow-up outside of GitHub, use our PGP key:
+
+```
+Fingerprint: 1BC6 998B 879B BDE0 D778  629E D9CF F5EF 1F7C 557B
+Key ID:      1F7C557B
+Email:       leo@lateos.ai
+```
+
+## Scope
+
+**In scope:**
+- Detector logic (ATK-001 through ATK-011)
+- Code execution in the scanner engine (`backend/fetch.js`, `cli/cli.js`)
+- CI/CD pipeline and publish process (provenance bypass, supply chain)
+- Configuration injection via `policy.yaml` or command-line flags
+
+**Out of scope:**
+- CVEs in third-party dependencies — report upstream
+- Vulnerabilities in the npm registry itself — report to npm
+- Malicious packages detected by the scanner (that's working as designed)
+
+## Security Practices
+
+`@lateos/npm-scan` follows these practices to protect its own supply chain:
+
+- **Sigstore provenance** on every npm publish — verifiable via `npm view @lateos/npm-scan provenance`
+- **Self-scanning in CI** — every commit scans the project's own `package-lock.json` for the full ATK taxonomy
+- **SBOM per release** — CycloneDX and SPDX 2.3 Bill of Materials published with every version
+- **2FA** enforced on the npm publisher account
+- **Docker multi-arch images** signed and pushed via CI, not manually
+- **All code public** — no security-by-obscurity
+
+## Self-Scanning
+
+As a supply chain security scanner, `@lateos/npm-scan` dogfoods its own detectors. Every CI run executes:
+
+```bash
+npx @lateos/npm-scan scan-lockfile --fail-on medium
+```
+
+If a future update to a dependency triggers one of our detectors (e.g., typosquat, obfuscated lifecycle script), the build **fails** before the change reaches npm.
+
+## Safe Harbor
+
+We consider security research conducted under this policy as authorized and will not pursue legal action against researchers who:
+
+- Report vulnerabilities through GitHub Private Vulnerability Reporting
+- Do not access or modify user data beyond what's necessary to demonstrate the vulnerability
+- Do not exploit the vulnerability beyond demonstrating it
+- Act in good faith to improve the security of the project

package/backend/fetch.js

@@ -6,7 +6,18 @@ import zlib from 'zlib';
 import { Readable } from 'stream';
 import { pipeline } from 'stream/promises';
 
-export async function fetchPackage(target) {
+export async function fetchPackage(target, options = {}) {
+  const { cacheDir, cacheTTL = 604800, cacheMaxSize = 1000000000 } = options;
+  
+  // Check cache if enabled
+  if (cacheDir) {
+    const cached = getFromCache(cacheDir, target, cacheTTL);
+    if (cached) {
+      const tmpDir = path.join(os.tmpdir(), 'npm-scan-cache-' + Date.now());
+      return { ...(await extractTarball(cached, tmpDir)), meta: null };
+    }
+  }
+
   const metaRes = await fetch(`https://registry.npmjs.org/${target}/latest`);
   const meta = await metaRes.json();
 
@@ -19,7 +30,95 @@ export async function fetchPackage(target) {
   const buffer = Buffer.from(await tarRes.arrayBuffer());
   if (buffer.length > 500 * 1024 * 1024) throw new Error('Tarball too large');
 
+  // Save to cache if enabled
+  if (cacheDir) {
+    saveToCache(cacheDir, target, buffer, cacheTTL, cacheMaxSize);
+  }
+
   const tmpDir = path.join(os.tmpdir(), 'npm-scan-' + Date.now());
+  return { ...(await extractTarball(buffer, tmpDir)), meta };
+}
+
+function getFromCache(cacheDir, target, ttl) {
+  const cachePath = path.join(cacheDir, `${target.replace('/', '-')}.tgz`);
+  const metaPath = path.join(cacheDir, `${target.replace('/', '-')}.meta.json`);
+  
+  try {
+    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) return null;
+    
+    const meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
+    const age = (Date.now() - meta.timestamp) / 1000;
+    
+    if (age > ttl) {
+      fs.unlinkSync(cachePath);
+      fs.unlinkSync(metaPath);
+      return null;
+    }
+    
+    return fs.readFileSync(cachePath);
+  } catch {
+    return null;
+  }
+}
+
+function saveToCache(cacheDir, target, buffer, ttl, maxSize) {
+  try {
+    if (!fs.existsSync(cacheDir)) {
+      fs.mkdirSync(cacheDir, { recursive: true });
+    }
+    
+    // Prune if needed
+    pruneCache(cacheDir, maxSize);
+    
+    const safeName = target.replace('/', '-');
+    const cachePath = path.join(cacheDir, `${safeName}.tgz`);
+    const metaPath = path.join(cacheDir, `${safeName}.meta.json`);
+    
+    fs.writeFileSync(cachePath, buffer);
+    fs.writeFileSync(metaPath, JSON.stringify({ timestamp: Date.now(), size: buffer.length }));
+  } catch (e) {
+    // Cache write failure - continue without caching
+  }
+}
+
+function pruneCache(cacheDir, maxSize) {
+  try {
+    const files = fs.readdirSync(cacheDir).filter(f => f.endsWith('.meta.json'));
+    let totalSize = 0;
+    const fileInfos = [];
+    
+    for (const f of files) {
+      const meta = JSON.parse(fs.readFileSync(path.join(cacheDir, f), 'utf8'));
+      const tarFile = f.replace('.meta.json', '.tgz');
+      const size = meta.size || 0;
+      totalSize += size;
+      fileInfos.push({ tarFile, metaFile: f, timestamp: meta.timestamp, size });
+    }
+    
+    if (totalSize > maxSize) {
+      // Sort by oldest first and remove until under limit
+      fileInfos.sort((a, b) => a.timestamp - b.timestamp);
+      for (const info of fileInfos) {
+        if (totalSize <= maxSize * 0.8) break; // Leave 20% margin
+        try {
+          fs.unlinkSync(path.join(cacheDir, info.tarFile));
+          fs.unlinkSync(path.join(cacheDir, info.metaFile));
+          totalSize -= info.size;
+        } catch {}
+      }
+    }
+  } catch {
+    // Prune failure - ignore
+  }
+}
+
+export async function scanLocalTarball(filePath) {
+  const buffer = fs.readFileSync(filePath);
+  const tmpDir = path.join(os.tmpdir(), 'npm-scan-local-' + Date.now());
+  return await extractTarball(buffer, tmpDir);
+}
+
+async function extractTarball(buffer, tmpDir) {
   fs.mkdirSync(tmpDir, { recursive: true });
 
   const stream = Readable.from(buffer);

package/backend/report.js

@@ -155,4 +155,101 @@ function generateNistTable(scans) {
 <thead><tr><th>NIST Control</th><th>Control Title</th><th>Status</th><th>ATK ID</th></tr></thead>
 <tbody>${rows}</tbody>
 </table>`;
+}
+
+export function generateSARIF(scan, format = 'json') {
+  const findings = scan.findings || [];
+  const runs = [{
+    tool: {
+      driver: {
+        name: 'npm-scan',
+        version: '0.9.7',
+        informationUri: 'https://github.com/lateos-ai/npm-scan',
+        rules: Array.from(new Set(findings.map(f => f.id))).map(id => ({
+          id,
+          name: `ATK-${id.replace('ATK-', '')}`,
+          shortDescription: { text: findings.find(f => f.id === id)?.title || id },
+          fullDescription: { text: findings.find(f => f.id === id)?.description || '' },
+          defaultConfiguration: { enabled: true }
+        }))
+      }
+    },
+    results: findings.map(f => {
+      const severityMap = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
+      return {
+        ruleId: f.id,
+        level: severityMap[f.severity] || 'note',
+        message: { text: f.description || f.title },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: { uri: f.evidence || 'unknown' },
+            region: { startLine: 1, startColumn: 1 }
+          }
+        }]
+      };
+    })
+  }];
+
+  const sarif = {
+    version: '2.1.0',
+    schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    runs
+  };
+
+  return format === 'pretty' ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
+}
+
+export function generateCSV(scans) {
+  const headers = 'id,severity,title,description,evidence,package_name,version\n';
+  const rows = (scans || []).flatMap(s => 
+    (s.findings || []).map(f => [
+      f.id,
+      f.severity || '',
+      (f.title || '').replace(/,/g, ';'),
+      (f.description || '').replace(/,/g, ';'),
+      (f.evidence || '').replace(/,/g, ';'),
+      s.package_name || '',
+      s.version || ''
+    ].join(','))
+  ).join('\n');
+  return headers + rows;
+}
+
+export function calculateRiskScore(findings, totalPackages = 1) {
+  const weights = { low: 1, medium: 3, high: 7, critical: 10 };
+  const rawScore = findings.reduce((sum, f) => sum + (weights[f.severity] || 0), 0) / totalPackages;
+  return Math.min(rawScore, 10).toFixed(1);
+}
+
+const STIG_MAP = {
+  'SRG-APP-000141': { title: 'Application Malware Detection', atk: 'ATK-001', desc: 'Lifecycle script detection' },
+  'SRG-APP-000142': { title: 'Application Code Obfuscation', atk: 'ATK-002', desc: 'Obfuscated payload detection' },
+  'SRG-APP-000143': { title: 'Credential Harvesting', atk: 'ATK-003', desc: 'Credential exfiltration detection' },
+  'SRG-APP-000144': { title: 'Persistence Mechanisms', atk: 'ATK-004', desc: 'Malicious persistence detection' },
+  'SRG-APP-000145': { title: 'Data Exfiltration', atk: 'ATK-005', desc: 'Network exfiltration detection' },
+  'SRG-APP-000146': { title: 'Dependency Confusion', atk: 'ATK-006', desc: 'Internal package detection' },
+  'SRG-APP-000147': { title: 'Typosquatting', atk: 'ATK-007', desc: 'Malicious package name detection' },
+  'SRG-APP-000148': { title: 'Tarball Tampering', atk: 'ATK-008', desc: 'Modified package detection' },
+  'SRG-APP-000149': { title: 'Dormant Triggers', atk: 'ATK-009', desc: 'Conditional execution detection' },
+  'SRG-APP-000150': { title: 'Sandbox Evasion', atk: 'ATK-010', desc: 'Environment detection evasion' },
+  'SRG-APP-000151': { title: 'Transitive Propagation', atk: 'ATK-011', desc: 'Dependency chain attacks' }
+};
+
+export function generateSTIG(scans) {
+  const rows = [];
+  for (const [stigId, info] of Object.entries(STIG_MAP)) {
+    const findings = scans.flatMap(s => (s.findings || []).filter(f => f.id === info.atk));
+    const status = findings.length > 0 ? 'NOT APPLICABLE' : 'COMPLETE';
+    const findingsList = findings.map(f => `${f.severity.toUpperCase()}: ${f.title}`).join('; ') || 'None';
+    rows.push(`| ${stigId} | ${info.title} | ${status} | ${findingsList} |`);
+  }
+  return `# STIG Compliance Report
+Generated: ${new Date().toISOString()}
+
+| STIG ID | Control Title | Status | Findings |
+|---------|--------------|--------|----------|
+${rows.join('\n')}
+
+---
+*This report maps application security controls to DISA STIG requirements.*`;
 }

package/cli/cli.js

@@ -15,51 +15,124 @@ function requirePremium(feature, licenseKey) {
 const program = new Command()
   .name('npm-scan')
   .description('npm supply chain security scanner')
-  .version('0.9.0');
+  .version('0.9.7');
 
 program
   .command('scan')
   .description('Scan a package')
-  .argument('<target>', 'package name')
+  .argument('[target]', 'package name')
+  .option('-f, --file <path>', 'local tarball path')
   .option('-l, --license-key <key>', 'Premium license')
   .option('--sbom [format]', 'Generate SBOM (json/xml/spdx)')
   .option('-p, --policy <path>', 'Policy file (YAML/JSON)')
+  .option('--fail-on <level>', 'Exit with code 1 if findings >= level (low|medium|high|critical)', 'none')
+  .option('--sarif [file]', 'Output SARIF v2.1 format to file or stdout')
+  .option('--csv [file]', 'Output CSV format to file or stdout')
+  .option('--score-only', 'Output only the risk score (0-10)')
+  .option('--audit-log <file>', 'Append scan record to immutable audit log (JSONL format)')
+  .option('--fips', 'Enable FIPS 140-2/3 crypto mode (requires FIPS-enabled Node.js)')
+  .option('--cache-dir <path>', 'Cache directory for offline/air-gapped scans')
+  .option('--cache-ttl <seconds>', 'Cache TTL in seconds (default: 604800 = 7 days)', '604800')
+  .option('--cache-size <bytes>', 'Max cache size in bytes (default: 1GB)', '1000000000')
   .action(async (target, options) => {
     try {
+      if (options.fips) {
+        process.env.NODE_OPTIONS = (process.env.NODE_OPTIONS || '') + ' --enable-fips';
+      }
+
+      const fetchOptions = {
+        cacheDir: options.cacheDir,
+        cacheTTL: parseInt(options.cacheTtl || '604800'),
+        cacheMaxSize: parseInt(options.cacheSize || '1000000000')
+      };
+
+      if (!target && !options.file) {
+        console.error('Error: specify a package name or --file <path>');
+        process.exit(1);
+      }
+
       const policy = options.policy
         ? await import('../backend/policy.js').then(m => m.loadPolicy(options.policy))
         : null;
 
       if (policy) {
         const { isAllowed } = await import('../backend/policy.js');
-        if (isAllowed(target, policy)) {
+        if (target && isAllowed(target, policy)) {
           console.log(JSON.stringify({ scanId: null, findings: [], skipped: true, reason: `Package '${target}' is in policy allowlist` }));
           return;
         }
       }
 
-      const { pkgJson, jsFiles, tmpDir } = await import('../backend/fetch.js').then(m => m.fetchPackage(target));
+      const { pkgJson, jsFiles, tmpDir } = options.file
+        ? await import('../backend/fetch.js').then(m => m.scanLocalTarball(options.file))
+        : await import('../backend/fetch.js').then(m => m.fetchPackage(target, fetchOptions));
+      const pkgName = target || pkgJson.name || 'unknown';
       const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles));
       const { saveScan } = await import('../backend/db.js');
-      const scanId = await saveScan(target, 'latest', findings);
+      const scanId = await saveScan(pkgName, 'latest', findings);
 
       let outputFindings = findings;
       let blocked = false;
 
       if (policy) {
         const { applyPolicy } = await import('../backend/policy.js');
-        const result = applyPolicy(findings, target, policy);
+        const result = applyPolicy(findings, pkgName, policy);
         outputFindings = result.findings;
         blocked = result.blocked;
       }
 
-      if (options.sbom) {
+      const { calculateRiskScore } = await import('../backend/report.js');
+      const riskScore = calculateRiskScore(outputFindings);
+
+      if (options.scoreOnly) {
+        console.log(riskScore);
+        import('../backend/fetch.js').then(m => m.cleanup(tmpDir));
+        return;
+      }
+
+      if (options.sarif) {
+        const { generateSARIF } = await import('../backend/report.js');
+        const scan = { package_name: pkgName, version: pkgJson.version || 'latest', findings: outputFindings };
+        const sarifOutput = generateSARIF(scan);
+        if (options.sarif === true || !options.sarif) {
+          console.log(sarifOutput);
+        } else {
+          const { writeFileSync } = await import('fs');
+          writeFileSync(options.sarif, sarifOutput);
+          console.log(`SARIF output written to ${options.sarif}`);
+        }
+      } else if (options.csv) {
+        const { generateCSV } = await import('../backend/report.js');
+        const scan = { package_name: pkgName, version: pkgJson.version || 'latest', findings: outputFindings };
+        const csvOutput = generateCSV([scan]);
+        if (options.csv === true || !options.csv) {
+          console.log(csvOutput);
+        } else {
+          const { writeFileSync } = await import('fs');
+          writeFileSync(options.csv, csvOutput);
+          console.log(`CSV output written to ${options.csv}`);
+        }
+      } else if (options.sbom) {
         const { generateSBOM } = await import('../backend/sbom.js');
-        const pkg = { name: target, version: pkgJson.version || 'latest' };
+        const pkg = { name: pkgName, version: pkgJson.version || 'latest' };
         const sbom = generateSBOM(pkg, outputFindings, options.sbom === true ? 'json' : options.sbom);
         console.log(sbom);
       } else {
-        console.log(JSON.stringify({scanId, findings: outputFindings, blocked}, null, 2));
+        console.log(JSON.stringify({scanId, findings: outputFindings, blocked, riskScore}, null, 2));
+      }
+
+      if (options.auditLog) {
+        const { writeFileSync, appendFileSync } = await import('fs');
+        const entry = {
+          timestamp: new Date().toISOString(),
+          command: `scan ${target || options.file}`,
+          package: pkgName,
+          version: pkgJson.version || 'latest',
+          riskScore,
+          findingsCount: outputFindings.length,
+          exitCode: 0
+        };
+        appendFileSync(options.auditLog, JSON.stringify(entry) + '\n');
       }
 
       if (blocked) {
@@ -67,6 +140,16 @@ program
         process.exit(1);
       }
 
+      if (options.failOn !== 'none') {
+        const severityLevels = { low: 1, medium: 2, high: 3, critical: 4 };
+        const failLevel = severityLevels[options.failOn] || 0;
+        const hasBlockingFindings = outputFindings.some(f => (severityLevels[f.severity] || 0) >= failLevel);
+        if (hasBlockingFindings) {
+          console.error(`Fail: findings with severity >= ${options.failOn} detected`);
+          process.exit(1);
+        }
+      }
+
       import('../backend/fetch.js').then(m => m.cleanup(tmpDir));
     } catch (e) {
       console.error(e.message);
@@ -78,6 +161,9 @@ program
   .command('scan-lockfile')
   .description('Scan package-lock.json')
   .option('-f, --file <path>', 'lockfile path', 'package-lock.json')
+  .option('--fail-on <level>', 'Exit with code 1 if findings >= level (low|medium|high|critical)', 'none')
+  .option('--csv [file]', 'Output CSV format to file or stdout')
+  .option('--sarif [file]', 'Output SARIF v2.1 format to file or stdout')
   .action((options) => {
     console.log('Scanning lockfile:', options.file);
   });
@@ -89,8 +175,10 @@ program
   .option('--sbom [format]', 'SBOM format (json/xml/spdx)')
   .option('--html', 'HTML report')
   .option('--text', 'Plain text report')
+  .option('--csv [file]', 'CSV export to file or stdout')
   .option('--nist', 'NIST 800-161 compliance report')
   .option('--cra', 'EU CRA compliance report')
+  .option('--stig', 'STIG compliance report (DISA SRG-APP)')
   .option('--siem <format>', 'SIEM format (cef|ecs|sentinel|qradar)')
   .option('--pdf', 'PDF report (premium)')
   .option('-o, --output <path>', 'Output file path')
@@ -133,6 +221,10 @@ program
         const { generateHTML } = await import('../backend/report.js');
         const html = generateHTML(scan ? [scan] : []);
         console.log(html);
+      } else if (options.stig) {
+        const { generateSTIG } = await import('../backend/report.js');
+        const stig = generateSTIG(scan ? [scan] : []);
+        console.log(stig);
       } else {
         console.log(JSON.stringify(findings, null, 2));
       }
@@ -163,10 +255,74 @@ program
         const { generateHTML } = await import('../backend/report.js');
         const html = generateHTML(scansWithFindings);
         console.log(html);
+      } else if (options.stig) {
+        const { generateSTIG } = await import('../backend/report.js');
+        const stig = generateSTIG(scansWithFindings);
+        console.log(stig);
       } else {
         console.log('Recent scans:', JSON.stringify(scans, null, 2));
       }
     }
   });
 
+program
+  .command('serve')
+  .description('Start API server (premium feature)')
+  .option('-p, --port <port>', 'Port', '8000')
+  .option('-h, --host <host>', 'Host', '0.0.0.0')
+  .action(async (options) => {
+    const licenseKey = process.env.NPM_SCAN_LICENSE_KEY || options.licenseKey;
+    requirePremium('rest-api', licenseKey);
+
+    const { createServer } = await import('http');
+    const server = createServer(async (req, res) => {
+      const headers = { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' };
+
+      if (req.url === '/health') {
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ status: 'ok', version: program.version() }));
+        return;
+      }
+
+      if (req.url === '/scan' && req.method === 'POST') {
+        let body = '';
+        req.on('data', chunk => body += chunk);
+        req.on('end', async () => {
+          try {
+            const { package: pkg, options: scanOpts } = JSON.parse(body);
+            const { scan } = await import('../backend/fetch.js');
+            const results = await scan(pkg, { ...scanOpts, licenseKey });
+            res.writeHead(200, headers);
+            res.end(JSON.stringify({ results }));
+          } catch (e) {
+            res.writeHead(500, headers);
+            res.end(JSON.stringify({ error: e.message }));
+          }
+        });
+        return;
+      }
+
+      if (req.url.startsWith('/siem') && options.siemEnabled) {
+        requirePremium('siem', licenseKey);
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ siem: 'enabled', endpoint: process.env.SIEM_ENDPOINT }));
+        return;
+      }
+
+      if (req.url.startsWith('/pdf') && options.pdfEnabled) {
+        requirePremium('nist-pdf', licenseKey);
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ pdf: 'enabled' }));
+        return;
+      }
+
+      res.writeHead(404, headers);
+      res.end(JSON.stringify({ error: 'Not found' }));
+    });
+
+    server.listen(options.port, options.host, () => {
+      console.log(`npm-scan API server running on http://${options.host}:${options.port}`);
+    });
+  });
+
 program.parse();

package/deploy/helm/npm-scan/Chart.yaml

@@ -1,16 +1,22 @@
 apiVersion: v2
 name: npm-scan
-description: npm supply chain security scanner — Helm chart for Kubernetes deployment
+description: npm supply chain security scanner — BYOC Helm chart for enterprise/government deployments
 type: application
-version: 0.5.0
-appVersion: "0.5.0"
+version: 1.0.0
+appVersion: "1.0.0"
 keywords:
   - npm
   - security
   - supply-chain
   - scanner
+  - byoc
+  - stig
+  - fips
+  - soc2
+  - fedramp
 sources:
-  - https://github.com/YOUR_GITHUB_USERNAME/npm-scan
+  - https://github.com/lateos-ai/npm-scan
 maintainers:
   - name: Lateos
-    email: hello@lateos.ai
+    email: hello@lateos.ai
+dependencies: []

package/deploy/helm/npm-scan/templates/api.yaml

@@ -5,6 +5,8 @@ metadata:
   labels:
     app: {{ include "npm-scan.name" . }}-api
     {{- include "npm-scan.labels" . | nindent 4 }}
+  annotations:
+    stig: "SRG-APP-000141"
 spec:
   replicas: {{ .Values.api.replicas }}
   selector:
@@ -19,7 +21,7 @@ spec:
         - name: api
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["python", "-m", "api.main"]
+          command: ["node", "cli/cli.js", "serve"]
           ports:
             - containerPort: {{ .Values.api.port }}
           env:
@@ -33,6 +35,32 @@ spec:
                   name: {{ include "npm-scan.name" . }}-license
                   key: key
                   optional: true
+            - name: NPM_SCAN_PREMIUM
+              value: "{{ .Values.premium.enabled }}"
+            {{- if .Values.premium.byoc.enabled }}
+            - name: NPM_SCAN_BYOC
+              value: "true"
+            - name: NPM_SCAN_CLOUD_PROVIDER
+              value: "{{ .Values.premium.byoc.cloudProvider }}"
+            {{- end }}
+            {{- if .Values.siem.enabled }}
+            - name: SIEM_ENABLED
+              value: "true"
+            - name: SIEM_TYPE
+              value: "{{ .Values.siem.type }}"
+            - name: SIEM_ENDPOINT
+              value: "{{ .Values.siem.endpoint }}"
+            - name: SIEM_PORT
+              value: "{{ .Values.siem.port }}"
+            {{- end }}
+            {{- if .Values.sso.enabled }}
+            - name: SSO_ENABLED
+              value: "true"
+            - name: SSO_PROVIDER
+              value: "{{ .Values.sso.provider }}"
+            - name: SSO_ISSUER_URL
+              value: "{{ .Values.sso.issuerUrl }}"
+            {{- end }}
             {{- if .Values.postgresql.enabled }}
             - name: PG_HOST
               value: "{{ .Values.postgresql.host }}"