npm - @lateos/npm-scan - Versions diffs - 0.9.9 → 0.10.0 - Mend

@lateos/npm-scan 0.9.9 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +1 -0
package/README.md +33 -0
package/cli/cli.js +60 -0
package/deploy/helm/npm-scan/Chart.yaml +11 -5
package/deploy/helm/npm-scan/templates/api.yaml +29 -1
package/deploy/helm/npm-scan/values.byoc.yaml +75 -0
package/deploy/helm/npm-scan/values.yaml +32 -2
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 - `scan --csv [file]` and `report --csv [file]` to export tabular CSV for Excel/Sheets import
 - `scan --score-only` to output only risk score (0-10), auto-added to JSON output
 - Government/SOC 2 features: `--audit-log`, `--fips`, `--stig`, `--cache-dir` for air-gapped/federal compliance
+- **BYOC (Bring Your Own Cloud)**: Helm chart v1.0.0 for enterprise/government VPC deployments with SIEM, PDF, SSO
 ## [0.9.7] — 2026-05-12

package/README.md CHANGED Viewed

@@ -129,6 +129,39 @@ npm-scan report --stig
 ---
+## ☁️ BYOC — Bring Your Own Cloud
+Deploy npm-scan in your VPC with full data sovereignty. No data leaves your infrastructure.
+| Feature | Description |
+|---------|-------------|
+| **Self-hosted** | Run on EKS/GKE/AKS in your AWS/Azure/GCP account |
+| **SIEM Export** | CEF/ECS/Sentinel/QRadar to your existing SIEM |
+| **SSO/OIDC** | SAML/OIDC integration with your identity provider |
+| **PDF Reports** | Generate NIST-compliant PDF reports locally |
+| **External DB** | Connect to your existing PostgreSQL/Redis |
+```bash
+# Deploy to your VPC with Helm
+git clone https://github.com/lateos-ai/npm-scan.git
+cd npm-scan/deploy/helm
+helm install npm-scan -f values.byoc.yaml .
+# BYOC values example (see values.byoc.yaml)
+premium:
+  enabled: true
+  edition: enterprise
+  byoc:
+    enabled: true
+    cloudProvider: aws
+    vpcId: vpc-xxx
+    region: us-east-1
+```
+**Pricing**: Enterprise license $10k/yr — self-supported (docs + GitHub issues).
+---
 ## 📖 Usage Examples
 ### Scan a single package

package/cli/cli.js CHANGED Viewed

@@ -265,4 +265,64 @@ program
     }
   });
+program
+  .command('serve')
+  .description('Start API server (premium feature)')
+  .option('-p, --port <port>', 'Port', '8000')
+  .option('-h, --host <host>', 'Host', '0.0.0.0')
+  .action(async (options) => {
+    const licenseKey = process.env.NPM_SCAN_LICENSE_KEY || options.licenseKey;
+    requirePremium('rest-api', licenseKey);
+    const { createServer } = await import('http');
+    const server = createServer(async (req, res) => {
+      const headers = { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' };
+      if (req.url === '/health') {
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ status: 'ok', version: program.version() }));
+        return;
+      }
+      if (req.url === '/scan' && req.method === 'POST') {
+        let body = '';
+        req.on('data', chunk => body += chunk);
+        req.on('end', async () => {
+          try {
+            const { package: pkg, options: scanOpts } = JSON.parse(body);
+            const { scan } = await import('../backend/fetch.js');
+            const results = await scan(pkg, { ...scanOpts, licenseKey });
+            res.writeHead(200, headers);
+            res.end(JSON.stringify({ results }));
+          } catch (e) {
+            res.writeHead(500, headers);
+            res.end(JSON.stringify({ error: e.message }));
+          }
+        });
+        return;
+      }
+      if (req.url.startsWith('/siem') && options.siemEnabled) {
+        requirePremium('siem', licenseKey);
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ siem: 'enabled', endpoint: process.env.SIEM_ENDPOINT }));
+        return;
+      }
+      if (req.url.startsWith('/pdf') && options.pdfEnabled) {
+        requirePremium('nist-pdf', licenseKey);
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ pdf: 'enabled' }));
+        return;
+      }
+      res.writeHead(404, headers);
+      res.end(JSON.stringify({ error: 'Not found' }));
+    });
+    server.listen(options.port, options.host, () => {
+      console.log(`npm-scan API server running on http://${options.host}:${options.port}`);
+    });
+  });
 program.parse();

package/deploy/helm/npm-scan/Chart.yaml CHANGED Viewed

@@ -1,16 +1,22 @@
 apiVersion: v2
 name: npm-scan
-description: npm supply chain security scanner — Helm chart for Kubernetes deployment
+description: npm supply chain security scanner — BYOC Helm chart for enterprise/government deployments
 type: application
-version: 0.5.0
-appVersion: "0.5.0"
+version: 1.0.0
+appVersion: "1.0.0"
 keywords:
   - npm
   - security
   - supply-chain
   - scanner
+  - byoc
+  - stig
+  - fips
+  - soc2
+  - fedramp
 sources:
-  - https://github.com/YOUR_GITHUB_USERNAME/npm-scan
+  - https://github.com/lateos-ai/npm-scan
 maintainers:
   - name: Lateos
-    email: hello@lateos.ai
+    email: hello@lateos.ai
+dependencies: []

package/deploy/helm/npm-scan/templates/api.yaml CHANGED Viewed

@@ -5,6 +5,8 @@ metadata:
   labels:
     app: {{ include "npm-scan.name" . }}-api
     {{- include "npm-scan.labels" . | nindent 4 }}
+  annotations:
+    stig: "SRG-APP-000141"
 spec:
   replicas: {{ .Values.api.replicas }}
   selector:
@@ -19,7 +21,7 @@ spec:
         - name: api
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["python", "-m", "api.main"]
+          command: ["node", "cli/cli.js", "serve"]
           ports:
             - containerPort: {{ .Values.api.port }}
           env:
@@ -33,6 +35,32 @@ spec:
                   name: {{ include "npm-scan.name" . }}-license
                   key: key
                   optional: true
+            - name: NPM_SCAN_PREMIUM
+              value: "{{ .Values.premium.enabled }}"
+            {{- if .Values.premium.byoc.enabled }}
+            - name: NPM_SCAN_BYOC
+              value: "true"
+            - name: NPM_SCAN_CLOUD_PROVIDER
+              value: "{{ .Values.premium.byoc.cloudProvider }}"
+            {{- end }}
+            {{- if .Values.siem.enabled }}
+            - name: SIEM_ENABLED
+              value: "true"
+            - name: SIEM_TYPE
+              value: "{{ .Values.siem.type }}"
+            - name: SIEM_ENDPOINT
+              value: "{{ .Values.siem.endpoint }}"
+            - name: SIEM_PORT
+              value: "{{ .Values.siem.port }}"
+            {{- end }}
+            {{- if .Values.sso.enabled }}
+            - name: SSO_ENABLED
+              value: "true"
+            - name: SSO_PROVIDER
+              value: "{{ .Values.sso.provider }}"
+            - name: SSO_ISSUER_URL
+              value: "{{ .Values.sso.issuerUrl }}"
+            {{- end }}
             {{- if .Values.postgresql.enabled }}
             - name: PG_HOST
               value: "{{ .Values.postgresql.host }}"

package/deploy/helm/npm-scan/values.byoc.yaml ADDED Viewed

@@ -0,0 +1,75 @@
+# BYOC Enterprise values example
+# Deploy to your VPC: helm install -f values.byoc.yaml npm-scan ./
+image:
+  repository: ghcr.io/lateos/npm-scan
+  tag: "1.0.0"
+premium:
+  enabled: true
+  edition: enterprise
+  byoc:
+    enabled: true
+    cloudProvider: aws
+    vpcId: vpc-0123456789abcdef0
+    region: us-east-1
+    clusterName: npm-scan-enterprise
+    externalDb: true
+    externalRedis: true
+license:
+  key: "npm-scan-enterprise-XXXXX.YOUR-SIGNATURE-HERE"
+  secret: "your-license-secret"
+siem:
+  enabled: true
+  type: cef
+  endpoint: log-collector.your-company.com
+  port: 514
+  protocol: tcp
+pdf:
+  enabled: true
+sso:
+  enabled: true
+  provider: oidc
+  clientId: npm-scan-enterprise
+  issuerUrl: https://sso.your-company.com/realms/enterprise
+postgresql:
+  enabled: false
+  host: your-rds-endpoint.rds.amazonaws.com
+  port: 5432
+  database: npm_scan
+  username: npm_scan
+  password: ""
+redis:
+  enabled: false
+  host: your-redis-endpoint.cache.amazonaws.com
+  port: 6379
+ingress:
+  enabled: true
+  className: nginx
+  host: npm-scan.your-company.com
+  tls:
+    - secretName: npm-scan-tls
+      hosts:
+        - npm-scan.your-company.com
+persistence:
+  enabled: true
+  size: 50Gi
+  storageClass: gp3
+worker:
+  replicas: 4
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 2
+      memory: 2Gi

package/deploy/helm/npm-scan/values.yaml CHANGED Viewed

@@ -1,4 +1,4 @@
-# Helm values for npm-scan
+# Helm values for npm-scan BYOC
 # Override per environment: helm install -f values-prod.yaml
 image:
@@ -9,10 +9,40 @@ image:
 replicaCount: 1
 license:
-  # --license-key or NPM_SCAN_LICENSE_KEY env var
   key: ""
   secret: ""
+premium:
+  enabled: false
+  edition: premium
+  byoc:
+    enabled: false
+    cloudProvider: ""
+    vpcId: ""
+    region: ""
+    clusterName: ""
+    externalDb: true
+    externalRedis: true
+siem:
+  enabled: false
+  type: cef
+  endpoint: ""
+  port: 514
+  protocol: tcp
+  apiKey: ""
+pdf:
+  enabled: false
+sso:
+  enabled: false
+  provider: oidc
+  clientId: ""
+  clientSecret: ""
+  issuerUrl: ""
+  allowedDomains: []
 postgresql:
   enabled: true
   host: ""

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.9.9",
+  "version": "0.10.0",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {