@lateos/npm-scan 1.1.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.de.md +98 -3
  2. package/README.fr.md +98 -3
  3. package/README.ja.md +98 -3
  4. package/README.md +864 -741
  5. package/README.zh.md +98 -3
  6. package/package.json +1 -1
package/README.zh.md CHANGED
@@ -9,8 +9,8 @@
9
9
  [![npm version](https://img.shields.io/npm/v/@lateos/npm-scan?style=flat-square)](https://www.npmjs.com/package/@lateos/npm-scan)
10
10
  [![License](https://img.shields.io/badge/license-Apache%202.0%20%2B%20Commons%20Clause-blue?style=flat-square)](LICENSING.md)
11
11
  [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
12
- [![Tests](https://img.shields.io/badge/tests-696%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
13
- [![Coverage](https://img.shields.io/badge/coverage-90%25-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
12
+ [![Tests](https://img.shields.io/badge/tests-459%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
13
+ [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
14
14
  [![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
15
15
  [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
16
16
 
@@ -485,6 +485,102 @@ npm-scan report --html > report.html
485
485
 
486
486
  ### Docker
487
487
 
488
+ 请参见上方的 [Docker 快速入门部分](#-在任何地方通过-docker-运行-lateosnpm-scan--零安装),了解拉取命令、Compose 流水线和多架构镜像。
489
+
490
+ 在每个 PR 上扫描您项目的 `package-lock.json`——在它们进入生产环境之前检测域名抢注、混淆载荷、凭证窃取器和蠕虫传播:
491
+
492
+ ```yaml
493
+ # .github/workflows/scan.yml
494
+ name: npm-scan
495
+ on:
496
+ pull_request:
497
+ paths:
498
+ - 'package-lock.json'
499
+ - '**/package.json'
500
+ jobs:
501
+ scan:
502
+ runs-on: ubuntu-latest
503
+ steps:
504
+ - uses: actions/checkout@v4
505
+ - uses: actions/setup-node@v4
506
+ with:
507
+ node-version: 20
508
+ - name: Scan lockfile
509
+ uses: lateos/npm-scan@v1
510
+ with:
511
+ scan-type: lockfile
512
+ fail-on: high
513
+ ```
514
+
515
+ #### Action 输入
516
+
517
+ | 输入 | 默认值 | 描述 |
518
+ |-------|---------|-------------|
519
+ | `scan-type` | `lockfile` | `lockfile` 扫描 `package-lock.json` 或 `package` 扫描特定 npm 包 |
520
+ | `package` | — | 包名(`scan-type=package` 时需要) |
521
+ | `fail-on` | `high` | 在此严重性阈值处使工作流失败:`none`、`low`、`medium`、`high`、`critical` |
522
+ | `policy-file` | — | YAML/JSON 策略文件路径,用于白名单、严重性覆盖和抑制 |
523
+ | `license-key` | — | 用于 SIEM 导出和 PDF 报告的高级版许可证密钥 |
524
+ | `siem-format` | — | SIEM 输出:`cef`、`ecs`、`sentinel`、`qradar`(高级版) |
525
+ | `sbom-format` | — | SBOM 输出:`json`、`xml`、`spdx` |
526
+
527
+ #### Action 输出
528
+
529
+ | 输出 | 描述 |
530
+ |--------|-------------|
531
+ | `findings-count` | 检测到的发现项数量 |
532
+ | `scan-id` | 扫描 ID,用于后续报告引用 |
533
+
534
+ #### 示例:使用策略 + SBOM 扫描特定包
535
+
536
+ ```yaml
537
+ - uses: lateos/npm-scan@v1
538
+ with:
539
+ scan-type: package
540
+ package: lodash
541
+ policy-file: .npm-scan.yml
542
+ sbom-format: spdx
543
+ fail-on: critical
544
+ ```
545
+
546
+ #### 示例:使用 SIEM 导出扫描(高级版)
547
+
548
+ ```yaml
549
+ - uses: lateos/npm-scan@v1
550
+ with:
551
+ scan-type: lockfile
552
+ siem-format: cef
553
+ license-key: ${{ secrets.NPM_SCAN_LICENSE_KEY }}
554
+ ```
555
+
556
+ ### CI/CD 流水线
557
+
558
+ 直接集成到您现有的流水线中,无需复合操作:
559
+
560
+ ```bash
561
+ # 扫描锁定文件,在高严重性时使构建失败
562
+ npm-scan scan-lockfile --policy .npm-scan.yml || exit 1
563
+
564
+ # 扫描特定包,仅在严重时失败
565
+ npm-scan scan lodash --policy .npm-scan.yml || exit 1
566
+
567
+ # 生成 SBOM 作为构建产物
568
+ npm-scan scan express --sbom spdx > express-sbom.spdx.json
569
+
570
+ # 在 CI 中生成 HTML 合规报告
571
+ npm-scan report --html > report.html
572
+
573
+ # 上传报告作为产物
574
+ # uses: actions/upload-artifact@v4
575
+ # with:
576
+ # name: npm-scan-report
577
+ # path: report.html
578
+ ```
579
+
580
+ ### Docker
581
+
582
+ 请参见上方的 [Docker 快速入门部分](#-在任何地方通过-docker-运行-lateosnpm-scan--零安装),了解拉取命令、Compose 流水线和多架构镜像。
583
+
488
584
  ---
489
585
 
490
586
  ## 🗺️ 路线图与企业功能
@@ -610,5 +706,4 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
610
706
 
611
707
  ```bash
612
708
  npx @lateos/npm-scan scan lodash
613
- ```
614
709
  ```
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lateos/npm-scan",
3
- "version": "1.1.1",
3
+ "version": "1.2.0",
4
4
  "description": "Production-grade npm supply chain vulnerability scanner. Detects 100% of 3 real May 2026 supply chain campaigns (dependency confusion, obfuscation, impersonation) with 0% false positive rate on top 1,000 npm packages.",
5
5
  "main": "backend/index.js",
6
6
  "bin": {