@lateos/npm-scan 0.9.9 → 0.10.1

package/CHANGELOG.md

@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 - `scan --csv [file]` and `report --csv [file]` to export tabular CSV for Excel/Sheets import
 - `scan --score-only` to output only risk score (0-10), auto-added to JSON output
 - Government/SOC 2 features: `--audit-log`, `--fips`, `--stig`, `--cache-dir` for air-gapped/federal compliance
+- **BYOC (Bring Your Own Cloud)**: Helm chart v1.0.0 for enterprise/government VPC deployments with SIEM, PDF, SSO
 
 ## [0.9.7] — 2026-05-12
 

package/README.de.md

@@ -12,6 +12,7 @@
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 **Moderne Lieferkettensicherheit für das npm-Ökosystem.**  
 Statische + verhaltensbasierte Analyse, die erkennt, was npm audit, Snyk und Socket übersehen — obfuskierte Payloads, Credential-Stealer, bedingte Auslöser, Sandbox-Evasion und wurmartige Verbreitung.

package/README.fr.md

@@ -12,6 +12,7 @@
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 **Sécurité moderne de la chaîne d'approvisionnement pour l'écosystème npm.**  
 Analyse statique + comportementale qui détecte ce que npm audit, Snyk et Socket manquent — charges utiles obfusquées, voleurs d'identifiants, déclencheurs conditionnels, contournement de sandbox et propagation de type ver.

package/README.ja.md

@@ -12,6 +12,7 @@
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 **npmエコシステムのためのモダンなサプライチェーンセキュリティ。**  
 静的解析＋行動分析で、npm audit、Snyk、Socketが見逃す脅威——難読化ペイロード、認証情報窃取、条件付きトリガー、サンドボックス回避、ワーム型伝播——を検出します。

package/README.md

@@ -6,6 +6,7 @@
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 [![中文](https://img.shields.io/badge/lang-zh--CN-red?style=flat-square)](https://github.com/lateos-ai/npm-scan/blob/main/README.zh.md)
 [![日本語](https://img.shields.io/badge/lang-ja-purple?style=flat-square)](https://github.com/lateos-ai/npm-scan/blob/main/README.ja.md)
@@ -129,6 +130,39 @@ npm-scan report --stig
 
 ---
 
+## ☁️ BYOC — Bring Your Own Cloud
+
+Deploy npm-scan in your VPC with full data sovereignty. No data leaves your infrastructure.
+
+| Feature | Description |
+|---------|-------------|
+| **Self-hosted** | Run on EKS/GKE/AKS in your AWS/Azure/GCP account |
+| **SIEM Export** | CEF/ECS/Sentinel/QRadar to your existing SIEM |
+| **SSO/OIDC** | SAML/OIDC integration with your identity provider |
+| **PDF Reports** | Generate NIST-compliant PDF reports locally |
+| **External DB** | Connect to your existing PostgreSQL/Redis |
+
+```bash
+# Deploy to your VPC with Helm
+git clone https://github.com/lateos-ai/npm-scan.git
+cd npm-scan/deploy/helm
+helm install npm-scan -f values.byoc.yaml .
+
+# BYOC values example (see values.byoc.yaml)
+premium:
+  enabled: true
+  edition: enterprise
+  byoc:
+    enabled: true
+    cloudProvider: aws
+    vpcId: vpc-xxx
+    region: us-east-1
+```
+
+**Pricing**: Enterprise license $10k/yr — self-supported (docs + GitHub issues).
+
+---
+
 ## 📖 Usage Examples
 
 ### Scan a single package

package/README.zh.md

@@ -12,6 +12,7 @@
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 **适用于 npm 生态系统的现代供应链安全工具。**  
 静态 + 行为分析，捕获 npm audit、Snyk 和 Socket 遗漏的威胁——混淆载荷、凭证窃取器、条件触发器、沙箱逃逸以及蠕虫式传播。

package/cli/cli.js

@@ -265,4 +265,64 @@ program
     }
   });
 
+program
+  .command('serve')
+  .description('Start API server (premium feature)')
+  .option('-p, --port <port>', 'Port', '8000')
+  .option('-h, --host <host>', 'Host', '0.0.0.0')
+  .action(async (options) => {
+    const licenseKey = process.env.NPM_SCAN_LICENSE_KEY || options.licenseKey;
+    requirePremium('rest-api', licenseKey);
+
+    const { createServer } = await import('http');
+    const server = createServer(async (req, res) => {
+      const headers = { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' };
+
+      if (req.url === '/health') {
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ status: 'ok', version: program.version() }));
+        return;
+      }
+
+      if (req.url === '/scan' && req.method === 'POST') {
+        let body = '';
+        req.on('data', chunk => body += chunk);
+        req.on('end', async () => {
+          try {
+            const { package: pkg, options: scanOpts } = JSON.parse(body);
+            const { scan } = await import('../backend/fetch.js');
+            const results = await scan(pkg, { ...scanOpts, licenseKey });
+            res.writeHead(200, headers);
+            res.end(JSON.stringify({ results }));
+          } catch (e) {
+            res.writeHead(500, headers);
+            res.end(JSON.stringify({ error: e.message }));
+          }
+        });
+        return;
+      }
+
+      if (req.url.startsWith('/siem') && options.siemEnabled) {
+        requirePremium('siem', licenseKey);
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ siem: 'enabled', endpoint: process.env.SIEM_ENDPOINT }));
+        return;
+      }
+
+      if (req.url.startsWith('/pdf') && options.pdfEnabled) {
+        requirePremium('nist-pdf', licenseKey);
+        res.writeHead(200, headers);
+        res.end(JSON.stringify({ pdf: 'enabled' }));
+        return;
+      }
+
+      res.writeHead(404, headers);
+      res.end(JSON.stringify({ error: 'Not found' }));
+    });
+
+    server.listen(options.port, options.host, () => {
+      console.log(`npm-scan API server running on http://${options.host}:${options.port}`);
+    });
+  });
+
 program.parse();

package/deploy/helm/npm-scan/Chart.yaml

@@ -1,16 +1,22 @@
 apiVersion: v2
 name: npm-scan
-description: npm supply chain security scanner — Helm chart for Kubernetes deployment
+description: npm supply chain security scanner — BYOC Helm chart for enterprise/government deployments
 type: application
-version: 0.5.0
-appVersion: "0.5.0"
+version: 1.0.0
+appVersion: "1.0.0"
 keywords:
   - npm
   - security
   - supply-chain
   - scanner
+  - byoc
+  - stig
+  - fips
+  - soc2
+  - fedramp
 sources:
-  - https://github.com/YOUR_GITHUB_USERNAME/npm-scan
+  - https://github.com/lateos-ai/npm-scan
 maintainers:
   - name: Lateos
-    email: hello@lateos.ai
+    email: hello@lateos.ai
+dependencies: []

package/deploy/helm/npm-scan/templates/api.yaml

@@ -5,6 +5,8 @@ metadata:
   labels:
     app: {{ include "npm-scan.name" . }}-api
     {{- include "npm-scan.labels" . | nindent 4 }}
+  annotations:
+    stig: "SRG-APP-000141"
 spec:
   replicas: {{ .Values.api.replicas }}
   selector:
@@ -19,7 +21,7 @@ spec:
         - name: api
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["python", "-m", "api.main"]
+          command: ["node", "cli/cli.js", "serve"]
           ports:
             - containerPort: {{ .Values.api.port }}
           env:
@@ -33,6 +35,32 @@ spec:
                   name: {{ include "npm-scan.name" . }}-license
                   key: key
                   optional: true
+            - name: NPM_SCAN_PREMIUM
+              value: "{{ .Values.premium.enabled }}"
+            {{- if .Values.premium.byoc.enabled }}
+            - name: NPM_SCAN_BYOC
+              value: "true"
+            - name: NPM_SCAN_CLOUD_PROVIDER
+              value: "{{ .Values.premium.byoc.cloudProvider }}"
+            {{- end }}
+            {{- if .Values.siem.enabled }}
+            - name: SIEM_ENABLED
+              value: "true"
+            - name: SIEM_TYPE
+              value: "{{ .Values.siem.type }}"
+            - name: SIEM_ENDPOINT
+              value: "{{ .Values.siem.endpoint }}"
+            - name: SIEM_PORT
+              value: "{{ .Values.siem.port }}"
+            {{- end }}
+            {{- if .Values.sso.enabled }}
+            - name: SSO_ENABLED
+              value: "true"
+            - name: SSO_PROVIDER
+              value: "{{ .Values.sso.provider }}"
+            - name: SSO_ISSUER_URL
+              value: "{{ .Values.sso.issuerUrl }}"
+            {{- end }}
             {{- if .Values.postgresql.enabled }}
             - name: PG_HOST
               value: "{{ .Values.postgresql.host }}"

package/deploy/helm/npm-scan/values.byoc.yaml

@@ -0,0 +1,75 @@
+# BYOC Enterprise values example
+# Deploy to your VPC: helm install -f values.byoc.yaml npm-scan ./
+
+image:
+  repository: ghcr.io/lateos/npm-scan
+  tag: "1.0.0"
+
+premium:
+  enabled: true
+  edition: enterprise
+  byoc:
+    enabled: true
+    cloudProvider: aws
+    vpcId: vpc-0123456789abcdef0
+    region: us-east-1
+    clusterName: npm-scan-enterprise
+    externalDb: true
+    externalRedis: true
+
+license:
+  key: "npm-scan-enterprise-XXXXX.YOUR-SIGNATURE-HERE"
+  secret: "your-license-secret"
+
+siem:
+  enabled: true
+  type: cef
+  endpoint: log-collector.your-company.com
+  port: 514
+  protocol: tcp
+
+pdf:
+  enabled: true
+
+sso:
+  enabled: true
+  provider: oidc
+  clientId: npm-scan-enterprise
+  issuerUrl: https://sso.your-company.com/realms/enterprise
+
+postgresql:
+  enabled: false
+  host: your-rds-endpoint.rds.amazonaws.com
+  port: 5432
+  database: npm_scan
+  username: npm_scan
+  password: ""
+
+redis:
+  enabled: false
+  host: your-redis-endpoint.cache.amazonaws.com
+  port: 6379
+
+ingress:
+  enabled: true
+  className: nginx
+  host: npm-scan.your-company.com
+  tls:
+    - secretName: npm-scan-tls
+      hosts:
+        - npm-scan.your-company.com
+
+persistence:
+  enabled: true
+  size: 50Gi
+  storageClass: gp3
+
+worker:
+  replicas: 4
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 2
+      memory: 2Gi

package/deploy/helm/npm-scan/values.yaml

@@ -1,4 +1,4 @@
-# Helm values for npm-scan
+# Helm values for npm-scan BYOC
 # Override per environment: helm install -f values-prod.yaml
 
 image:
@@ -9,10 +9,40 @@ image:
 replicaCount: 1
 
 license:
-  # --license-key or NPM_SCAN_LICENSE_KEY env var
   key: ""
   secret: ""
 
+premium:
+  enabled: false
+  edition: premium
+  byoc:
+    enabled: false
+    cloudProvider: ""
+    vpcId: ""
+    region: ""
+    clusterName: ""
+    externalDb: true
+    externalRedis: true
+
+siem:
+  enabled: false
+  type: cef
+  endpoint: ""
+  port: 514
+  protocol: tcp
+  apiKey: ""
+
+pdf:
+  enabled: false
+
+sso:
+  enabled: false
+  provider: oidc
+  clientId: ""
+  clientSecret: ""
+  issuerUrl: ""
+  allowedDomains: []
+
 postgresql:
   enabled: true
   host: ""

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.9.9",
+  "version": "0.10.1",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {
@@ -10,8 +10,9 @@
   "license": "Apache-2.0",
   "repository": {
     "type": "git",
-    "url": "https://github.com/lateos-ai/npm-scan.git"
+    "url": "git+https://github.com/lateos-ai/npm-scan.git"
   },
+  "readmeFilename": "README.md",
   "keywords": [
     "npm",
     "security",