@lateos/npm-scan 1.0.0 → 1.1.1

package/backend/policy.js

@@ -5,26 +5,89 @@ const SEVERITY_ORDER = ['none', 'low', 'medium', 'high', 'critical'];
 const VALID_SEVERITIES = new Set(SEVERITY_ORDER);
 
 const KNOWN_REPUTABLE_PACKAGES = new Set([
-  'react', 'react-dom', 'vue', 'angular', 'next', 'nuxt',
-  'express', 'fastify', 'hono', 'koa', 'connect',
-  'webpack', 'vite', 'rollup', 'esbuild', 'typescript', 'babel-core',
-  'lodash', 'ramda', 'underscore',
-  'axios', 'node-fetch', 'got', 'superagent',
-  'sequelize', 'prisma', 'typeorm', 'mongoose',
-  'jest', 'mocha', 'vitest', 'ava',
-  'prettier', 'eslint', 'stylelint',
-  'socket.io', 'ws',
-  'rimraf', 'glob', 'minimatch', 'fs-extra',
-  'electron', 'puppeteer', 'playwright', 'sharp', 'node-canvas',
-  'ffmpeg-static', 'turbo',
-  'react-scripts', '@angular/cli',
-  'gatsby', 'parcel',
-  'tslib', 'core-js', 'regenerator-runtime', 'buffer',
-  'node-gyp', 'node-pre-gyp',
-  'winston', 'uuid', 'moment', 'dotenv', 'pg', 'semver', 'redux', 'redis',
-  'dayjs', 'luxon', 'chalk', 'debug', 'cors', 'helmet', 'multer',
-  'body-parser', 'cheerio', 'bluebird', 'bcrypt', 'commander', 'yargs',
-  'passport', 'jsonwebtoken', 'nodemailer', 'class-validator',
+  'react',
+  'react-dom',
+  'vue',
+  'angular',
+  'next',
+  'nuxt',
+  'express',
+  'fastify',
+  'hono',
+  'koa',
+  'connect',
+  'webpack',
+  'vite',
+  'rollup',
+  'esbuild',
+  'typescript',
+  'babel-core',
+  'lodash',
+  'ramda',
+  'underscore',
+  'axios',
+  'node-fetch',
+  'got',
+  'superagent',
+  'sequelize',
+  'prisma',
+  'typeorm',
+  'mongoose',
+  'jest',
+  'mocha',
+  'vitest',
+  'ava',
+  'prettier',
+  'eslint',
+  'stylelint',
+  'socket.io',
+  'ws',
+  'rimraf',
+  'glob',
+  'minimatch',
+  'fs-extra',
+  'electron',
+  'puppeteer',
+  'playwright',
+  'sharp',
+  'node-canvas',
+  'ffmpeg-static',
+  'turbo',
+  'react-scripts',
+  '@angular/cli',
+  'gatsby',
+  'parcel',
+  'tslib',
+  'core-js',
+  'regenerator-runtime',
+  'buffer',
+  'node-gyp',
+  'node-pre-gyp',
+  'winston',
+  'uuid',
+  'moment',
+  'dotenv',
+  'pg',
+  'semver',
+  'redux',
+  'redis',
+  'dayjs',
+  'luxon',
+  'chalk',
+  'debug',
+  'cors',
+  'helmet',
+  'multer',
+  'body-parser',
+  'cheerio',
+  'bluebird',
+  'bcrypt',
+  'commander',
+  'yargs',
+  'passport',
+  'jsonwebtoken',
+  'nodemailer',
+  'class-validator',
 ]);
 
 function severityIndex(s) {
@@ -32,8 +95,12 @@ function severityIndex(s) {
 }
 
 function matchesFilePath(filePath, pattern) {
-  if (!pattern) return false;
-  if (pattern === '*') return true;
+  if (!pattern) {
+    return false;
+  }
+  if (pattern === '*') {
+    return true;
+  }
   const regexPattern = pattern
     .replace(/\./g, '\\.')
     .replace(/\*\*/g, '___DOUBLE_STAR___')
@@ -44,49 +111,90 @@ function matchesFilePath(filePath, pattern) {
 
 function matchesContext(finding, rule) {
   const ctx = finding.context;
-  if (!ctx) return false;
-
-  if (rule.context?.is_dist_build === true && !ctx.is_dist_build) return false;
-  if (rule.context?.is_dist_build === false && ctx.is_dist_build) return false;
-  if (rule.context?.is_test_fixture === true && !ctx.is_test_fixture) return false;
-  if (rule.context?.is_test_fixture === false && ctx.is_test_fixture) return false;
-  if (rule.context?.is_lifecycle_hook === true && !ctx.is_lifecycle_hook) return false;
-  if (rule.context?.is_lifecycle_hook === false && ctx.is_lifecycle_hook) return false;
-  if (rule.context?.is_known_safe_domain === true && !ctx.is_known_safe_domain) return false;
-  if (rule.context?.is_known_safe_domain === false && ctx.is_known_safe_domain) return false;
-
-  if (rule.context?.file_path && !matchesFilePath(ctx.file_path, rule.context.file_path)) return false;
+  if (!ctx) {
+    return false;
+  }
+
+  if (rule.context?.is_dist_build === true && !ctx.is_dist_build) {
+    return false;
+  }
+  if (rule.context?.is_dist_build === false && ctx.is_dist_build) {
+    return false;
+  }
+  if (rule.context?.is_test_fixture === true && !ctx.is_test_fixture) {
+    return false;
+  }
+  if (rule.context?.is_test_fixture === false && ctx.is_test_fixture) {
+    return false;
+  }
+  if (rule.context?.is_lifecycle_hook === true && !ctx.is_lifecycle_hook) {
+    return false;
+  }
+  if (rule.context?.is_lifecycle_hook === false && ctx.is_lifecycle_hook) {
+    return false;
+  }
+  if (rule.context?.is_known_safe_domain === true && !ctx.is_known_safe_domain) {
+    return false;
+  }
+  if (rule.context?.is_known_safe_domain === false && ctx.is_known_safe_domain) {
+    return false;
+  }
+
+  if (rule.context?.file_path && !matchesFilePath(ctx.file_path, rule.context.file_path)) {
+    return false;
+  }
   if (rule.context?.url_domain) {
-    if (!ctx.url_domain) return false;
+    if (!ctx.url_domain) {
+      return false;
+    }
     const domainPattern = rule.context.url_domain.replace(/\*/g, '.*');
-    if (!new RegExp(`^${domainPattern}$`).test(ctx.url_domain)) return false;
+    if (!new RegExp(`^${domainPattern}$`).test(ctx.url_domain)) {
+      return false;
+    }
   }
 
   return true;
 }
 
 function matchesKnownReputable(packageName) {
-  if (KNOWN_REPUTABLE_PACKAGES.has(packageName)) return true;
+  if (KNOWN_REPUTABLE_PACKAGES.has(packageName)) {
+    return true;
+  }
   const [scope, name] = packageName.split('/');
-  if (scope && name && KNOWN_REPUTABLE_PACKAGES.has(`${scope}/*`)) return true;
+  if (scope && name && KNOWN_REPUTABLE_PACKAGES.has(`${scope}/*`)) {
+    return true;
+  }
   return false;
 }
 
 function getPackageReputationTier(pkgName) {
   const name = pkgName?.replace(/^@/, '').replace(/\/.*/, '') || '';
-  if (matchesKnownReputable(name)) return 'trusted';
+  if (matchesKnownReputable(name)) {
+    return 'trusted';
+  }
   return 'unknown';
 }
 
 function matchesSuppressRule(finding, pkgName, rule) {
-  if (rule.atk_id !== (finding.atk_id || finding.id)) return false;
-  if (rule.package && rule.package !== '*' && rule.package !== pkgName) return false;
+  if (rule.atk_id !== (finding.atk_id || finding.id)) {
+    return false;
+  }
+  if (rule.package && rule.package !== '*' && rule.package !== pkgName) {
+    return false;
+  }
 
-  if (rule.context && !matchesContext(finding, rule)) return false;
+  if (rule.context && !matchesContext(finding, rule)) {
+    return false;
+  }
 
   if (rule.reputation_tier) {
     const tier = getPackageReputationTier(pkgName);
-    if (rule.reputation_tier !== tier && !(rule.reputation_tier === '*' || rule.reputation_tier === 'any')) return false;
+    if (
+      rule.reputation_tier !== tier &&
+      !(rule.reputation_tier === '*' || rule.reputation_tier === 'any')
+    ) {
+      return false;
+    }
   }
 
   return true;
@@ -109,13 +217,17 @@ function loadPolicy(path) {
   if (policy.severity_overrides) {
     for (const [atkId, severity] of Object.entries(policy.severity_overrides)) {
       if (!VALID_SEVERITIES.has(severity)) {
-        throw new Error(`Invalid severity "${severity}" for ${atkId} — must be one of: low, medium, high, critical`);
+        throw new Error(
+          `Invalid severity "${severity}" for ${atkId} — must be one of: low, medium, high, critical`
+        );
       }
     }
   }
 
   if (policy.fail_on && !VALID_SEVERITIES.has(policy.fail_on)) {
-    throw new Error(`Invalid fail_on "${policy.fail_on}" — must be one of: none, low, medium, high, critical`);
+    throw new Error(
+      `Invalid fail_on "${policy.fail_on}" — must be one of: none, low, medium, high, critical`
+    );
   }
 
   if (policy.suppress) {
@@ -143,7 +255,7 @@ function sanitizePolicy(policy) {
     allow: { packages: policy.allow?.packages ?? [] },
     severity_overrides: policy.severity_overrides ?? {},
     fail_on: policy.fail_on ?? 'none',
-    suppress: (policy.suppress ?? []).map(r => ({
+    suppress: (policy.suppress ?? []).map((r) => ({
       atk_id: r.atk_id,
       package: r.package || '*',
       reason: r.reason || '',
@@ -154,23 +266,29 @@ function sanitizePolicy(policy) {
 }
 
 function isAllowed(packageName, policy) {
-  if (!policy.allow.packages.length) return false;
+  if (!policy.allow.packages.length) {
+    return false;
+  }
   const nameOnly = packageName.split('@')[0];
-  return policy.allow.packages.some(p => p === packageName || p === nameOnly);
+  return policy.allow.packages.some((p) => p === packageName || p === nameOnly);
 }
 
 function applyPolicy(findings, packageName, policy) {
   let filtered = [...findings];
 
   if (policy.suppress.length) {
-    filtered = filtered.filter(f => {
-      if (f.context?.is_lifecycle_hook) return true;
-      if (f.context?.is_multi_layer) return true;
-      return !policy.suppress.some(r => matchesSuppressRule(f, packageName, r));
+    filtered = filtered.filter((f) => {
+      if (f.context?.is_lifecycle_hook) {
+        return true;
+      }
+      if (f.context?.is_multi_layer) {
+        return true;
+      }
+      return !policy.suppress.some((r) => matchesSuppressRule(f, packageName, r));
     });
   }
 
-  filtered = filtered.map(f => {
+  filtered = filtered.map((f) => {
     const override = policy.severity_overrides[f.atk_id || f.id];
     if (override) {
       return { ...f, severity: override, _severityOverridden: true };
@@ -184,10 +302,19 @@ function applyPolicy(findings, packageName, policy) {
 }
 
 function checkFailOn(findings, policy) {
-  if (policy.fail_on === 'none') return false;
+  if (policy.fail_on === 'none') {
+    return false;
+  }
 
   const threshold = severityIndex(policy.fail_on);
-  return findings.some(f => severityIndex(f.severity) >= threshold);
+  return findings.some((f) => severityIndex(f.severity) >= threshold);
 }
 
-export { loadPolicy, applyPolicy, isAllowed, getPackageReputationTier, matchesContext, KNOWN_REPUTABLE_PACKAGES };
+export {
+  loadPolicy,
+  applyPolicy,
+  isAllowed,
+  getPackageReputationTier,
+  matchesContext,
+  KNOWN_REPUTABLE_PACKAGES,
+};

package/backend/provenance.js

@@ -12,7 +12,13 @@ export function signManifest(manifest, key = HMAC_KEY) {
   return createHmac('sha256', key).update(JSON.stringify(manifest)).digest('hex');
 }
 
-export function buildDetectionRule({ ruleId, ruleName, severity, cveReferences = [], campaignName }) {
+export function buildDetectionRule({
+  ruleId,
+  ruleName,
+  severity,
+  cveReferences = [],
+  campaignName,
+}) {
   return {
     rule_id: ruleId,
     rule_name: ruleName,
@@ -41,7 +47,12 @@ export function buildDetectionResult({ triggered, severity, indicators = [] }) {
 
 export function buildAuditTrail({ detectionLogic, ruleProvenanceUrl, campaignSourceUrl }) {
   const contentHash = hashContent(detectionLogic);
-  const manifest = { contentHash, ruleProvenanceUrl, campaignSourceUrl, generatedAt: new Date().toISOString() };
+  const manifest = {
+    contentHash,
+    ruleProvenanceUrl,
+    campaignSourceUrl,
+    generatedAt: new Date().toISOString(),
+  };
   return {
     content_hash: contentHash,
     rule_provenance_url: ruleProvenanceUrl,
@@ -60,7 +71,21 @@ export function buildDetectionRecord({ rule, scanMetadata, detectionResult, audi
   };
 }
 
-export function attachProvenance(evidence, { ruleId, ruleName, severity, campaignName, pkgName, pkgVersion, triggered, indicators, ruleProvenanceUrl, campaignSourceUrl }) {
+export function attachProvenance(
+  evidence,
+  {
+    ruleId,
+    ruleName,
+    severity,
+    campaignName,
+    pkgName,
+    pkgVersion,
+    triggered,
+    indicators,
+    ruleProvenanceUrl,
+    campaignSourceUrl,
+  }
+) {
   const rule = buildDetectionRule({ ruleId, ruleName, severity, campaignName });
   const scanMetadata = buildScanMetadata({
     scannerVersion: '@lateos/npm-scan',

package/backend/report.js

@@ -1,21 +1,29 @@
 export function generateHTML(scans) {
-  const rows = scans.map(s => {
+  const rows = scans.map((s) => {
     const findings = s.findings || [];
     const sevMap = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
     const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
     const worstLabel = ['', 'info', 'low', 'medium', 'high', 'critical'][worst] || 'clean';
-    const color = { critical: '#d73a49', high: '#cb2431', medium: '#f66a0a', low: '#dbab09', clean: '#28a745' }[worstLabel] || '#28a745';
-    const findingRows = findings.map(f =>
-      `<tr><td>${f.atk_id || f.id}</td><td style="color:${color}">${f.severity}</td><td>${f.description || f.title || ''}</td><td>${(f.evidence || '').slice(0, 80)}</td></tr>`
-    ).join('');
+    const color =
+      { critical: '#d73a49', high: '#cb2431', medium: '#f66a0a', low: '#dbab09', clean: '#28a745' }[
+        worstLabel
+      ] || '#28a745';
+    const findingRows = findings
+      .map(
+        (f) =>
+          `<tr><td>${f.atk_id || f.id}</td><td style="color:${color}">${f.severity}</td><td>${f.description || f.title || ''}</td><td>${(f.evidence || '').slice(0, 80)}</td></tr>`
+      )
+      .join('');
     return { name: s.package_name, worstLabel, color, count: findings.length, findingRows };
   });
 
-  const criticalCount = scans.filter(s => s.findings?.some(f => f.severity === 'critical')).length;
-  const highCount = scans.filter(s => s.findings?.some(f => f.severity === 'high')).length;
-  const mediumCount = scans.filter(s => s.findings?.some(f => f.severity === 'medium')).length;
-  const lowCount = scans.filter(s => s.findings?.some(f => f.severity === 'low')).length;
-  const cleanCount = scans.filter(s => !s.findings?.length).length;
+  const criticalCount = scans.filter((s) =>
+    s.findings?.some((f) => f.severity === 'critical')
+  ).length;
+  const highCount = scans.filter((s) => s.findings?.some((f) => f.severity === 'high')).length;
+  const mediumCount = scans.filter((s) => s.findings?.some((f) => f.severity === 'medium')).length;
+  const lowCount = scans.filter((s) => s.findings?.some((f) => f.severity === 'low')).length;
+  const cleanCount = scans.filter((s) => !s.findings?.length).length;
 
   const nistMap = generateNistTable(scans);
 
@@ -59,7 +67,7 @@ th { background: #161b22; font-weight: 600; }
 <h2>Findings</h2>
 <table>
 <thead><tr><th>ATK</th><th>Severity</th><th>Title</th><th>Evidence</th></tr></thead>
-<tbody>${rows.map(r => `<tr><td colspan="4" style="background:#161b22;font-weight:600">${r.name} <span class="badge ${r.worstLabel}">${r.count ? r.worstLabel : 'clean'}</span></td></tr>${r.findingRows}`).join('')}</tbody>
+<tbody>${rows.map((r) => `<tr><td colspan="4" style="background:#161b22;font-weight:600">${r.name} <span class="badge ${r.worstLabel}">${r.count ? r.worstLabel : 'clean'}</span></td></tr>${r.findingRows}`).join('')}</tbody>
 </table>
 
 <h2>NIST SP 800-161 Compliance Summary</h2>
@@ -73,9 +81,11 @@ ${nistMap}
 function getAtkFindings(scans) {
   const map = {};
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const key = f.atk_id || f.id;
-      if (!map[key]) map[key] = [];
+      if (!map[key]) {
+        map[key] = [];
+      }
       map[key].push(f);
     }
   }
@@ -117,7 +127,9 @@ export function generateText(scans) {
     const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
     const worstLabel = sevLabel[worst] || 'clean';
 
-    lines.push(`${s.package_name}@${s.version || 'unknown'} \u2500\u2500 ${findings.length} findings (worst: ${worstLabel})`);
+    lines.push(
+      `${s.package_name}@${s.version || 'unknown'} \u2500\u2500 ${findings.length} findings (worst: ${worstLabel})`
+    );
 
     for (const f of findings) {
       const desc = (f.description || f.title || '').slice(0, 80);
@@ -159,41 +171,46 @@ function generateNistTable(scans) {
 
 export function generateSARIF(scan, format = 'json') {
   const findings = scan.findings || [];
-  const runs = [{
-    tool: {
-      driver: {
-        name: 'npm-scan',
-        version: '0.9.7',
-        informationUri: 'https://github.com/lateos-ai/npm-scan',
-        rules: Array.from(new Set(findings.map(f => f.id))).map(id => ({
-          id,
-          name: `ATK-${id.replace('ATK-', '')}`,
-          shortDescription: { text: findings.find(f => f.id === id)?.title || id },
-          fullDescription: { text: findings.find(f => f.id === id)?.description || '' },
-          defaultConfiguration: { enabled: true }
-        }))
-      }
+  const runs = [
+    {
+      tool: {
+        driver: {
+          name: 'npm-scan',
+          version: '0.9.7',
+          informationUri: 'https://github.com/lateos-ai/npm-scan',
+          rules: Array.from(new Set(findings.map((f) => f.id))).map((id) => ({
+            id,
+            name: `ATK-${id.replace('ATK-', '')}`,
+            shortDescription: { text: findings.find((f) => f.id === id)?.title || id },
+            fullDescription: { text: findings.find((f) => f.id === id)?.description || '' },
+            defaultConfiguration: { enabled: true },
+          })),
+        },
+      },
+      results: findings.map((f) => {
+        const severityMap = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
+        return {
+          ruleId: f.id,
+          level: severityMap[f.severity] || 'note',
+          message: { text: f.description || f.title },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: f.evidence || 'unknown' },
+                region: { startLine: 1, startColumn: 1 },
+              },
+            },
+          ],
+        };
+      }),
     },
-    results: findings.map(f => {
-      const severityMap = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
-      return {
-        ruleId: f.id,
-        level: severityMap[f.severity] || 'note',
-        message: { text: f.description || f.title },
-        locations: [{
-          physicalLocation: {
-            artifactLocation: { uri: f.evidence || 'unknown' },
-            region: { startLine: 1, startColumn: 1 }
-          }
-        }]
-      };
-    })
-  }];
+  ];
 
   const sarif = {
     version: '2.1.0',
-    schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
-    runs
+    schema:
+      'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    runs,
   };
 
   return format === 'pretty' ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
@@ -201,17 +218,21 @@ export function generateSARIF(scan, format = 'json') {
 
 export function generateCSV(scans) {
   const headers = 'id,severity,title,description,evidence,package_name,version\n';
-  const rows = (scans || []).flatMap(s => 
-    (s.findings || []).map(f => [
-      f.id,
-      f.severity || '',
-      (f.title || '').replace(/,/g, ';'),
-      (f.description || '').replace(/,/g, ';'),
-      (f.evidence || '').replace(/,/g, ';'),
-      s.package_name || '',
-      s.version || ''
-    ].join(','))
-  ).join('\n');
+  const rows = (scans || [])
+    .flatMap((s) =>
+      (s.findings || []).map((f) =>
+        [
+          f.id,
+          f.severity || '',
+          (f.title || '').replace(/,/g, ';'),
+          (f.description || '').replace(/,/g, ';'),
+          (f.evidence || '').replace(/,/g, ';'),
+          s.package_name || '',
+          s.version || '',
+        ].join(',')
+      )
+    )
+    .join('\n');
   return headers + rows;
 }
 
@@ -222,25 +243,70 @@ export function calculateRiskScore(findings, totalPackages = 1) {
 }
 
 const STIG_MAP = {
-  'SRG-APP-000141': { title: 'Application Malware Detection', atk: 'ATK-001', desc: 'Lifecycle script detection' },
-  'SRG-APP-000142': { title: 'Application Code Obfuscation', atk: 'ATK-002', desc: 'Obfuscated payload detection' },
-  'SRG-APP-000143': { title: 'Credential Harvesting', atk: 'ATK-003', desc: 'Credential exfiltration detection' },
-  'SRG-APP-000144': { title: 'Persistence Mechanisms', atk: 'ATK-004', desc: 'Malicious persistence detection' },
-  'SRG-APP-000145': { title: 'Data Exfiltration', atk: 'ATK-005', desc: 'Network exfiltration detection' },
-  'SRG-APP-000146': { title: 'Dependency Confusion', atk: 'ATK-006', desc: 'Internal package detection' },
-  'SRG-APP-000147': { title: 'Typosquatting', atk: 'ATK-007', desc: 'Malicious package name detection' },
-  'SRG-APP-000148': { title: 'Tarball Tampering', atk: 'ATK-008', desc: 'Modified package detection' },
-  'SRG-APP-000149': { title: 'Dormant Triggers', atk: 'ATK-009', desc: 'Conditional execution detection' },
-  'SRG-APP-000150': { title: 'Sandbox Evasion', atk: 'ATK-010', desc: 'Environment detection evasion' },
-  'SRG-APP-000151': { title: 'Transitive Propagation', atk: 'ATK-011', desc: 'Dependency chain attacks' }
+  'SRG-APP-000141': {
+    title: 'Application Malware Detection',
+    atk: 'ATK-001',
+    desc: 'Lifecycle script detection',
+  },
+  'SRG-APP-000142': {
+    title: 'Application Code Obfuscation',
+    atk: 'ATK-002',
+    desc: 'Obfuscated payload detection',
+  },
+  'SRG-APP-000143': {
+    title: 'Credential Harvesting',
+    atk: 'ATK-003',
+    desc: 'Credential exfiltration detection',
+  },
+  'SRG-APP-000144': {
+    title: 'Persistence Mechanisms',
+    atk: 'ATK-004',
+    desc: 'Malicious persistence detection',
+  },
+  'SRG-APP-000145': {
+    title: 'Data Exfiltration',
+    atk: 'ATK-005',
+    desc: 'Network exfiltration detection',
+  },
+  'SRG-APP-000146': {
+    title: 'Dependency Confusion',
+    atk: 'ATK-006',
+    desc: 'Internal package detection',
+  },
+  'SRG-APP-000147': {
+    title: 'Typosquatting',
+    atk: 'ATK-007',
+    desc: 'Malicious package name detection',
+  },
+  'SRG-APP-000148': {
+    title: 'Tarball Tampering',
+    atk: 'ATK-008',
+    desc: 'Modified package detection',
+  },
+  'SRG-APP-000149': {
+    title: 'Dormant Triggers',
+    atk: 'ATK-009',
+    desc: 'Conditional execution detection',
+  },
+  'SRG-APP-000150': {
+    title: 'Sandbox Evasion',
+    atk: 'ATK-010',
+    desc: 'Environment detection evasion',
+  },
+  'SRG-APP-000151': {
+    title: 'Transitive Propagation',
+    atk: 'ATK-011',
+    desc: 'Dependency chain attacks',
+  },
 };
 
 export function generateSTIG(scans) {
   const rows = [];
   for (const [stigId, info] of Object.entries(STIG_MAP)) {
-    const findings = scans.flatMap(s => (s.findings || []).filter(f => f.id === info.atk));
+    const findings = scans.flatMap((s) => (s.findings || []).filter((f) => f.id === info.atk));
     const status = findings.length > 0 ? 'NOT APPLICABLE' : 'COMPLETE';
-    const findingsList = findings.map(f => `${f.severity.toUpperCase()}: ${f.title}`).join('; ') || 'None';
+    const findingsList =
+      findings.map((f) => `${f.severity.toUpperCase()}: ${f.title}`).join('; ') || 'None';
     rows.push(`| ${stigId} | ${info.title} | ${status} | ${findingsList} |`);
   }
   return `# STIG Compliance Report
@@ -252,4 +318,4 @@ ${rows.join('\n')}
 
 ---
 *This report maps application security controls to DISA STIG requirements.*`;
-}
+}