@telora/daemon 0.15.36 → 0.15.40

package/dist/scanners/deps.d.ts

@@ -0,0 +1,101 @@
+/**
+ * npm-audit deps scanner for the security scan engine.
+ *
+ * Spawns `npm audit --json` in the product's repo path and maps the v7+
+ * audit output into FindingDraft rows for the 'deps' IOC class. npm audit
+ * exits non-zero whenever findings exist; that is normal behaviour, not
+ * an error. We only treat the run as failed when the JSON itself is
+ * unparseable.
+ *
+ * Severity mapping: npm uses {info, low, moderate, high, critical}; the
+ * security_findings schema uses {low, medium, high, critical}. We map
+ * `moderate` -> `medium` and skip `info` entries (advisory-only noise).
+ *
+ * @module scanners/deps
+ */
+import type { Scanner, Severity } from '../security-scan-engine.js';
+import { type OsvAdvisory } from '../feeds/osv.js';
+import { type GhsaAdvisory } from '../feeds/ghsa.js';
+import { type IocFeedEntry } from '../feeds/local.js';
+type NpmSeverity = 'info' | 'low' | 'moderate' | 'high' | 'critical';
+interface NpmAuditViaObject {
+    source?: number;
+    name?: string;
+    url?: string;
+    title?: string;
+    severity?: NpmSeverity;
+    cwe?: string[];
+    cvss?: {
+        score?: number;
+        vectorString?: string;
+    };
+    range?: string;
+}
+type NpmAuditVia = string | NpmAuditViaObject;
+interface NpmAuditVulnerability {
+    name?: string;
+    severity?: NpmSeverity;
+    via?: NpmAuditVia[];
+    range?: string;
+    nodes?: string[];
+    fixAvailable?: boolean | {
+        name: string;
+        version: string;
+        isSemVerMajor: boolean;
+    };
+}
+interface NpmAuditOutput {
+    vulnerabilities?: Record<string, NpmAuditVulnerability>;
+    metadata?: {
+        vulnerabilities?: Record<NpmSeverity, number>;
+        dependencies?: Record<string, number> | {
+            total?: number;
+        };
+    };
+}
+export interface NpmAuditResult {
+    stdout: string;
+    exitCode: number;
+}
+export type NpmAuditRunner = (repoPath: string) => Promise<NpmAuditResult>;
+declare function mapSeverity(s: NpmSeverity | undefined): Severity | null;
+declare function parseAuditJson(raw: string): NpmAuditOutput;
+export interface DepsScannerExternalDeps {
+    runNpmAudit: NpmAuditRunner;
+    /** Optional OSV adapter; default uses the real OSV.dev client. */
+    queryOsv?: (input: {
+        packages: Array<{
+            name: string;
+            version: string;
+            ecosystem: 'npm';
+        }>;
+    }) => Promise<{
+        advisories: OsvAdvisory[];
+        warnings: string[];
+    }>;
+    /** Optional GHSA adapter; default uses the real GHSA REST client. */
+    queryGhsa?: (input: {
+        packages: Array<{
+            name: string;
+            ecosystem: 'npm';
+        }>;
+        githubToken?: string;
+    }) => Promise<{
+        advisories: GhsaAdvisory[];
+        warnings: string[];
+    }>;
+    /** Optional local IOC feed loader; default reads from security_ioc_feed_entries. */
+    loadLocalIocFeed?: (organizationId: string, iocClass?: string) => Promise<IocFeedEntry[]>;
+}
+export declare function createDepsScanner(opts: DepsScannerExternalDeps): Scanner;
+declare function computePackagesAudited(audit: NpmAuditOutput): number;
+export declare const depsScanner: Scanner;
+/** Test seam re-export for unit tests. */
+export declare const _internal: {
+    defaultRunNpmAudit: NpmAuditRunner;
+    mapSeverity: typeof mapSeverity;
+    parseAuditJson: typeof parseAuditJson;
+    computePackagesAudited: typeof computePackagesAudited;
+};
+export {};
+//# sourceMappingURL=deps.d.ts.map

package/dist/scanners/deps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.d.ts","sourceRoot":"","sources":["../../src/scanners/deps.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,KAAK,EAIV,OAAO,EACP,QAAQ,EACT,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAY,KAAK,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAa,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoC,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAMxF,KAAK,WAAW,GAAG,MAAM,GAAG,KAAK,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,CAAC;AAErE,UAAU,iBAAiB;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,WAAW,CAAC;IACvB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,KAAK,WAAW,GAAG,MAAM,GAAG,iBAAiB,CAAC;AAE9C,UAAU,qBAAqB;IAC7B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,WAAW,CAAC;IACvB,GAAG,CAAC,EAAE,WAAW,EAAE,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE,OAAO,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,OAAO,CAAA;KAAE,CAAC;CACpF;AAED,UAAU,cAAc;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;IACxD,QAAQ,CAAC,EAAE;QACT,eAAe,CAAC,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAC9C,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG;YAAE,KAAK,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;KAC5D,CAAC;CACH;AAOD,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AA4B3E,iBAAS,WAAW,CAAC,CAAC,EAAE,WAAW,GAAG,SAAS,GAAG,QAAQ,GAAG,IAAI,CAehE;AAUD,iBAAS,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAQnD;AAMD,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,cAAc,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,KAAK,CAAA;SAAE,CAAC,CAAA;KAAE,KACzF,OAAO,CAAC;QAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IAC7D,qEAAqE;IACrE,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,KAAK,CAAA;SAAE,CAAC,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,KAC/F,OAAO,CAAC;QAAE,UAAU,EAAE,YAAY,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IAC9D,oFAAoF;IACpF,gBAAgB,CAAC,EAAE,CAAC,cAAc,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;CAC3F;AAkBD,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,uBAAuB,GAAG,OAAO,CAsIxE;AAED,iBAAS,sBAAsB,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAe7D;AAMD,eAAO,MAAM,WAAW,EAAE,OAExB,CAAC;AAEH,0CAA0C;AAC1C,eAAO,MAAM,SAAS;;;;;CAKrB,CAAC"}

package/dist/scanners/deps.js

@@ -0,0 +1,242 @@
+/**
+ * npm-audit deps scanner for the security scan engine.
+ *
+ * Spawns `npm audit --json` in the product's repo path and maps the v7+
+ * audit output into FindingDraft rows for the 'deps' IOC class. npm audit
+ * exits non-zero whenever findings exist; that is normal behaviour, not
+ * an error. We only treat the run as failed when the JSON itself is
+ * unparseable.
+ *
+ * Severity mapping: npm uses {info, low, moderate, high, critical}; the
+ * security_findings schema uses {low, medium, high, critical}. We map
+ * `moderate` -> `medium` and skip `info` entries (advisory-only noise).
+ *
+ * @module scanners/deps
+ */
+import { spawn } from 'node:child_process';
+import { queryOsv } from '../feeds/osv.js';
+import { queryGhsa } from '../feeds/ghsa.js';
+import { loadLocalIocFeed, matchesPattern } from '../feeds/local.js';
+const defaultRunNpmAudit = (repoPath) => new Promise((resolve, reject) => {
+    const child = spawn('npm', ['audit', '--json'], {
+        cwd: repoPath,
+        stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    let stdout = '';
+    child.stdout?.on('data', (chunk) => {
+        stdout += chunk.toString('utf8');
+    });
+    // stderr is discarded -- npm emits progress/warnings there that
+    // are not useful for the audit decision.
+    child.on('error', (err) => {
+        reject(err);
+    });
+    child.on('close', (code) => {
+        resolve({ stdout, exitCode: code ?? 0 });
+    });
+});
+// ---------------------------------------------------------------------------
+// Severity mapping
+// ---------------------------------------------------------------------------
+function mapSeverity(s) {
+    switch (s) {
+        case 'low':
+            return 'low';
+        case 'moderate':
+            return 'medium';
+        case 'high':
+            return 'high';
+        case 'critical':
+            return 'critical';
+        case 'info':
+        case undefined:
+        default:
+            return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// JSON shape guard
+// ---------------------------------------------------------------------------
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function parseAuditJson(raw) {
+    const parsed = JSON.parse(raw);
+    if (!isRecord(parsed)) {
+        throw new Error('npm audit JSON: top-level value is not an object');
+    }
+    // Shallow validation -- we treat unknown fields as opaque payload data
+    // rather than failing the scan on schema drift.
+    return parsed;
+}
+function extractPackagesFromVulns(vulns) {
+    // npm audit doesn't include a version in vulnerabilities, just a range.
+    // We use the range as a coarse 'version' for OSV's query -- OSV's batch
+    // tolerates ranges via an empty version when set carefully, but to keep
+    // the contract simple we pass the leftmost concrete version when we can
+    // extract one, otherwise '0.0.0' so OSV returns no match (and we still
+    // surface the npm-audit finding without enrichment).
+    const out = [];
+    for (const [name, advisory] of Object.entries(vulns)) {
+        const range = typeof advisory.range === 'string' ? advisory.range : '';
+        const version = range.match(/\d+\.\d+\.\d+/)?.[0] ?? '0.0.0';
+        out.push({ name, version });
+    }
+    return out;
+}
+export function createDepsScanner(opts) {
+    const osv = opts.queryOsv ?? ((input) => queryOsv({ packages: input.packages }));
+    const ghsa = opts.queryGhsa ?? ((input) => queryGhsa({ packages: input.packages, githubToken: input.githubToken }));
+    const local = opts.loadLocalIocFeed ?? loadLocalIocFeed;
+    return {
+        iocClass: 'deps',
+        async scan(ctx) {
+            const { stdout, exitCode } = await opts.runNpmAudit(ctx.repoPath);
+            let audit;
+            try {
+                audit = parseAuditJson(stdout);
+            }
+            catch (err) {
+                // Non-zero exit with empty/invalid JSON -- the scanner cannot
+                // distinguish "no vulnerabilities" from "npm crashed". Surface
+                // the failure to the engine.
+                throw new Error(`npm audit JSON parse failed (exit ${exitCode}): ${err.message}`);
+            }
+            const vulns = audit.vulnerabilities ?? {};
+            const warnings = [];
+            // Cross-reference -- OSV + GHSA + local IOC feed, all resilient.
+            const packagesForFeed = extractPackagesFromVulns(vulns);
+            const [osvResult, ghsaResult, localEntries] = await Promise.all([
+                osv({ packages: packagesForFeed.map((p) => ({ ...p, ecosystem: 'npm' })) }).catch((err) => ({
+                    advisories: [],
+                    warnings: [`osv: ${err.message}`],
+                })),
+                ghsa({ packages: packagesForFeed.map((p) => ({ name: p.name, ecosystem: 'npm' })) }).catch((err) => ({ advisories: [], warnings: [`ghsa: ${err.message}`] })),
+                local(ctx.config.organizationId, 'deps').catch((err) => {
+                    warnings.push(`local-ioc-feed: ${err.message}`);
+                    return [];
+                }),
+            ]);
+            warnings.push(...osvResult.warnings, ...ghsaResult.warnings);
+            const osvByPackage = new Map();
+            for (const adv of osvResult.advisories) {
+                for (const a of adv.affected) {
+                    if (a.package.ecosystem.toLowerCase() === 'npm') {
+                        const list = osvByPackage.get(a.package.name) ?? [];
+                        list.push(adv);
+                        osvByPackage.set(a.package.name, list);
+                    }
+                }
+            }
+            const ghsaByPackage = new Map();
+            for (const adv of ghsaResult.advisories) {
+                for (const v of adv.vulnerabilities) {
+                    if (v.package.ecosystem.toLowerCase() === 'npm') {
+                        const list = ghsaByPackage.get(v.package.name) ?? [];
+                        list.push(adv);
+                        ghsaByPackage.set(v.package.name, list);
+                    }
+                }
+            }
+            // Deduplicate findings across npm-audit + local-ioc by (identifier).
+            const findings = [];
+            const seen = new Set();
+            for (const [packageName, advisory] of Object.entries(vulns)) {
+                const severity = mapSeverity(advisory.severity);
+                if (severity === null)
+                    continue;
+                const range = typeof advisory.range === 'string' ? advisory.range : '*';
+                const identifier = `${packageName}@${range}`;
+                if (seen.has(identifier))
+                    continue;
+                seen.add(identifier);
+                const payload = {
+                    name: packageName,
+                    severity: advisory.severity,
+                    via: advisory.via ?? [],
+                    range,
+                    nodes: advisory.nodes ?? [],
+                    fixAvailable: advisory.fixAvailable ?? false,
+                    osv: osvByPackage.get(packageName) ?? [],
+                    ghsa: ghsaByPackage.get(packageName) ?? [],
+                };
+                findings.push({ iocClass: 'deps', severity, identifier, payload });
+            }
+            // Local IOC entries with ioc_class='deps' add findings even if
+            // upstream audit/feeds are silent. Pattern is matched against
+            // each audited package's "name@range".
+            for (const entry of localEntries) {
+                if (entry.iocClass !== 'deps')
+                    continue;
+                for (const [name, advisory] of Object.entries(vulns)) {
+                    const range = typeof advisory.range === 'string' ? advisory.range : '*';
+                    const candidate = `${name}@${range}`;
+                    if (!matchesPattern(candidate, entry))
+                        continue;
+                    const identifier = `${candidate}#ioc:${entry.id}`;
+                    if (seen.has(identifier))
+                        continue;
+                    seen.add(identifier);
+                    findings.push({
+                        iocClass: 'deps',
+                        severity: entry.severity,
+                        identifier,
+                        payload: {
+                            source: 'local_ioc_feed',
+                            entry_id: entry.id,
+                            pattern_type: entry.patternType,
+                            pattern: entry.pattern,
+                            advisory_text: entry.advisoryText,
+                            matched: candidate,
+                        },
+                    });
+                }
+            }
+            const packagesAudited = computePackagesAudited(audit);
+            const coverage = {
+                packages_audited: packagesAudited,
+                advisories_returned: Object.keys(vulns).length,
+                npm_audit_exit_code: exitCode,
+                osv_advisories: osvResult.advisories.length,
+                ghsa_advisories: ghsaResult.advisories.length,
+                local_ioc_entries: localEntries.length,
+            };
+            if (warnings.length > 0) {
+                coverage.warnings = warnings;
+            }
+            return { findings, coverage };
+        },
+    };
+}
+function computePackagesAudited(audit) {
+    const deps = audit.metadata?.dependencies;
+    if (!deps)
+        return 0;
+    if (typeof deps === 'object' && 'total' in deps && typeof deps.total === 'number') {
+        return deps.total;
+    }
+    // Some npm versions emit a flat record of counts; sum the numeric values.
+    if (isRecord(deps)) {
+        let total = 0;
+        for (const v of Object.values(deps)) {
+            if (typeof v === 'number')
+                total += v;
+        }
+        return total;
+    }
+    return 0;
+}
+// ---------------------------------------------------------------------------
+// Default export -- real spawn-backed scanner registered by the engine.
+// ---------------------------------------------------------------------------
+export const depsScanner = createDepsScanner({
+    runNpmAudit: defaultRunNpmAudit,
+});
+/** Test seam re-export for unit tests. */
+export const _internal = {
+    defaultRunNpmAudit,
+    mapSeverity,
+    parseAuditJson,
+    computePackagesAudited,
+};
+//# sourceMappingURL=deps.js.map

package/dist/scanners/deps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.js","sourceRoot":"","sources":["../../src/scanners/deps.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAQ3C,OAAO,EAAE,QAAQ,EAAoB,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAqB,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAqB,MAAM,mBAAmB,CAAC;AAkDxF,MAAM,kBAAkB,GAAmB,CAAC,QAAQ,EAAE,EAAE,CACtD,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;IAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE;QAC9C,GAAG,EAAE,QAAQ;QACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IACH,gEAAgE;IAChE,yCAAyC;IAEzC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QACxB,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,CAAC,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;QACzB,OAAO,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,WAAW,CAAC,CAA0B;IAC7C,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM,CAAC;QACZ,KAAK,SAAS,CAAC;QACf;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,uEAAuE;IACvE,gDAAgD;IAChD,OAAO,MAAwB,CAAC;AAClC,CAAC;AAkBD,SAAS,wBAAwB,CAAC,KAA4C;IAC5E,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,uEAAuE;IACvE,qDAAqD;IACrD,MAAM,GAAG,GAA6C,EAAE,CAAC;IACzD,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;QAC7D,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAA6B;IAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACpH,MAAM,KAAK,GAAG,IAAI,CAAC,gBAAgB,IAAI,gBAAgB,CAAC;IACxD,OAAO;QACL,QAAQ,EAAE,MAAM;QAChB,KAAK,CAAC,IAAI,CAAC,GAAgB;YACzB,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAElE,IAAI,KAAqB,CAAC;YAC1B,IAAI,CAAC;gBACH,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,8DAA8D;gBAC9D,+DAA+D;gBAC/D,6BAA6B;gBAC7B,MAAM,IAAI,KAAK,CACb,qCAAqC,QAAQ,MAAO,GAAa,CAAC,OAAO,EAAE,CAC5E,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAG,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC;YAC1C,MAAM,QAAQ,GAAa,EAAE,CAAC;YAE9B,iEAAiE;YACjE,MAAM,eAAe,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;YACxD,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBAC9D,GAAG,CAAC,EAAE,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,SAAS,EAAE,KAAc,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE,CAAC,CAAC;oBAC5G,UAAU,EAAE,EAAmB;oBAC/B,QAAQ,EAAE,CAAC,QAAS,GAAa,CAAC,OAAO,EAAE,CAAC;iBAC7C,CAAC,CAAC;gBACH,IAAI,CAAC,EAAE,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,KAAc,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CACjG,CAAC,GAAY,EAAE,EAAE,CAAC,CAAC,EAAE,UAAU,EAAE,EAAoB,EAAE,QAAQ,EAAE,CAAC,SAAU,GAAa,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CACxG;gBACD,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;oBAC9D,QAAQ,CAAC,IAAI,CAAC,mBAAoB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;oBAC3D,OAAO,EAAoB,CAAC;gBAC9B,CAAC,CAAC;aACH,CAAC,CAAC;YACH,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YAE7D,MAAM,YAAY,GAAG,IAAI,GAAG,EAAyB,CAAC;YACtD,KAAK,MAAM,GAAG,IAAI,SAAS,CAAC,UAAU,EAAE,CAAC;gBACvC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBAC7B,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;wBAChD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;wBACpD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;wBACf,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;oBACzC,CAAC;gBACH,CAAC;YACH,CAAC;YACD,MAAM,aAAa,GAAG,IAAI,GAAG,EAA0B,CAAC;YACxD,KAAK,MAAM,GAAG,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;gBACxC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;oBACpC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;wBAChD,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;wBACrD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;wBACf,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;oBAC1C,CAAC;gBACH,CAAC;YACH,CAAC;YAED,qEAAqE;YACrE,MAAM,QAAQ,GAAmB,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;YAE/B,KAAK,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAChD,IAAI,QAAQ,KAAK,IAAI;oBAAE,SAAS;gBAEhC,MAAM,KAAK,GAAG,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;gBACxE,MAAM,UAAU,GAAG,GAAG,WAAW,IAAI,KAAK,EAAE,CAAC;gBAC7C,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;oBAAE,SAAS;gBACnC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBAErB,MAAM,OAAO,GAA4B;oBACvC,IAAI,EAAE,WAAW;oBACjB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,GAAG,EAAE,QAAQ,CAAC,GAAG,IAAI,EAAE;oBACvB,KAAK;oBACL,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,EAAE;oBAC3B,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,KAAK;oBAC5C,GAAG,EAAE,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE;oBACxC,IAAI,EAAE,aAAa,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE;iBAC3C,CAAC;gBAEF,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;YAED,+DAA+D;YAC/D,8DAA8D;YAC9D,uCAAuC;YACvC,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;gBACjC,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM;oBAAE,SAAS;gBACxC,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBACrD,MAAM,KAAK,GAAG,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;oBACxE,MAAM,SAAS,GAAG,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC;oBACrC,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,KAAK,CAAC;wBAAE,SAAS;oBAChD,MAAM,UAAU,GAAG,GAAG,SAAS,QAAQ,KAAK,CAAC,EAAE,EAAE,CAAC;oBAClD,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;wBAAE,SAAS;oBACnC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;oBACrB,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;wBACxB,UAAU;wBACV,OAAO,EAAE;4BACP,MAAM,EAAE,gBAAgB;4BACxB,QAAQ,EAAE,KAAK,CAAC,EAAE;4BAClB,YAAY,EAAE,KAAK,CAAC,WAAW;4BAC/B,OAAO,EAAE,KAAK,CAAC,OAAO;4BACtB,aAAa,EAAE,KAAK,CAAC,YAAY;4BACjC,OAAO,EAAE,SAAS;yBACnB;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,MAAM,eAAe,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;YAEtD,MAAM,QAAQ,GAA4B;gBACxC,gBAAgB,EAAE,eAAe;gBACjC,mBAAmB,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM;gBAC9C,mBAAmB,EAAE,QAAQ;gBAC7B,cAAc,EAAE,SAAS,CAAC,UAAU,CAAC,MAAM;gBAC3C,eAAe,EAAE,UAAU,CAAC,UAAU,CAAC,MAAM;gBAC7C,iBAAiB,EAAE,YAAY,CAAC,MAAM;aACvC,CAAC;YACF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAC/B,CAAC;YAED,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;QAChC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAqB;IACnD,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,YAAY,CAAC;IAC1C,IAAI,CAAC,IAAI;QAAE,OAAO,CAAC,CAAC;IACpB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,IAAI,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAClF,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IACD,0EAA0E;IAC1E,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnB,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,IAAI,OAAO,CAAC,KAAK,QAAQ;gBAAE,KAAK,IAAI,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,8EAA8E;AAC9E,wEAAwE;AACxE,8EAA8E;AAE9E,MAAM,CAAC,MAAM,WAAW,GAAY,iBAAiB,CAAC;IACpD,WAAW,EAAE,kBAAkB;CAChC,CAAC,CAAC;AAEH,0CAA0C;AAC1C,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB,kBAAkB;IAClB,WAAW;IACX,cAAc;IACd,sBAAsB;CACvB,CAAC"}

package/dist/scanners/signatures.d.ts

@@ -0,0 +1,44 @@
+/**
+ * npm audit signatures scanner -- security scan engine plugin.
+ *
+ * Runs `npm audit signatures --json` against the product's repo and converts
+ * each unverified or invalid-signature entry into a FindingDraft. Signature
+ * verification has no npm-provided severity tier, so every finding is marked
+ * 'medium' -- a signature problem is always actionable, but not on its own a
+ * critical-severity issue without further context.
+ *
+ * Pattern reference: verification-engine.ts (dep-injection seam for spawn).
+ *
+ * @module scanners/signatures
+ */
+import type { Scanner } from '../security-scan-engine.js';
+export interface NpmAuditSignaturesResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number | null;
+}
+export type RunNpmAuditSignatures = (cwd: string) => Promise<NpmAuditSignaturesResult>;
+interface SignatureEntry {
+    name: string;
+    version: string;
+    raw: Record<string, unknown>;
+    reason: string;
+}
+/**
+ * Parse the npm audit signatures JSON envelope. Tolerates shape variations
+ * across npm versions -- `invalid` and `missing` may be absent or empty.
+ * Throws if the payload is not valid JSON or not an object.
+ */
+export declare function parseSignaturesReport(stdout: string): {
+    invalid: SignatureEntry[];
+    missing: SignatureEntry[];
+    totalChecked: number;
+};
+export interface SignaturesScannerDeps {
+    runNpmAuditSignatures: RunNpmAuditSignatures;
+}
+export declare function createSignaturesScanner(deps: SignaturesScannerDeps): Scanner;
+/** Default scanner wired to the real npm CLI. */
+export declare const signaturesScanner: Scanner;
+export {};
+//# sourceMappingURL=signatures.d.ts.map

package/dist/scanners/signatures.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signatures.d.ts","sourceRoot":"","sources":["../../src/scanners/signatures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAIV,OAAO,EACR,MAAM,4BAA4B,CAAC;AAMpC,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,wBAAwB,CAAC,CAAC;AAwCvF,UAAU,cAAc;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7B,MAAM,EAAE,MAAM,CAAC;CAChB;AAiCD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG;IACrD,OAAO,EAAE,cAAc,EAAE,CAAC;IAC1B,OAAO,EAAE,cAAc,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;CACtB,CA4BA;AAMD,MAAM,WAAW,qBAAqB;IACpC,qBAAqB,EAAE,qBAAqB,CAAC;CAC9C;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,qBAAqB,GAAG,OAAO,CAiC5E;AAED,iDAAiD;AACjD,eAAO,MAAM,iBAAiB,EAAE,OAE9B,CAAC"}

package/dist/scanners/signatures.js

@@ -0,0 +1,140 @@
+/**
+ * npm audit signatures scanner -- security scan engine plugin.
+ *
+ * Runs `npm audit signatures --json` against the product's repo and converts
+ * each unverified or invalid-signature entry into a FindingDraft. Signature
+ * verification has no npm-provided severity tier, so every finding is marked
+ * 'medium' -- a signature problem is always actionable, but not on its own a
+ * critical-severity issue without further context.
+ *
+ * Pattern reference: verification-engine.ts (dep-injection seam for spawn).
+ *
+ * @module scanners/signatures
+ */
+import { spawn } from 'node:child_process';
+const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+/** Default implementation: spawn the real npm CLI in the repo. */
+const defaultRunNpmAuditSignatures = (cwd) => new Promise((resolve, reject) => {
+    const child = spawn('npm', ['audit', 'signatures', '--json'], {
+        cwd,
+        stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    let stdout = '';
+    let stderr = '';
+    child.stdout?.on('data', (chunk) => {
+        stdout += chunk.toString('utf8');
+    });
+    child.stderr?.on('data', (chunk) => {
+        stderr += chunk.toString('utf8');
+    });
+    const timer = setTimeout(() => {
+        try {
+            child.kill('SIGKILL');
+        }
+        catch { /* ignore */ }
+    }, DEFAULT_TIMEOUT_MS);
+    child.on('error', (err) => {
+        clearTimeout(timer);
+        reject(err);
+    });
+    child.on('close', (code) => {
+        clearTimeout(timer);
+        resolve({ stdout, stderr, exitCode: code });
+    });
+});
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function stringField(record, key) {
+    const v = record[key];
+    return typeof v === 'string' ? v : undefined;
+}
+function numberField(record, key) {
+    const v = record[key];
+    return typeof v === 'number' && Number.isFinite(v) ? v : undefined;
+}
+function entriesFromArray(value, fallbackReason) {
+    if (!Array.isArray(value))
+        return [];
+    const out = [];
+    for (const item of value) {
+        if (!isRecord(item))
+            continue;
+        const name = stringField(item, 'name');
+        const version = stringField(item, 'version');
+        if (!name || !version)
+            continue;
+        const reason = stringField(item, 'reason') ?? fallbackReason;
+        out.push({ name, version, raw: item, reason });
+    }
+    return out;
+}
+/**
+ * Parse the npm audit signatures JSON envelope. Tolerates shape variations
+ * across npm versions -- `invalid` and `missing` may be absent or empty.
+ * Throws if the payload is not valid JSON or not an object.
+ */
+export function parseSignaturesReport(stdout) {
+    const trimmed = stdout.trim();
+    if (trimmed.length === 0) {
+        throw new Error('npm audit signatures produced empty output');
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(trimmed);
+    }
+    catch (err) {
+        throw new Error(`failed to parse npm audit signatures JSON: ${err.message}`);
+    }
+    if (!isRecord(parsed)) {
+        throw new Error('npm audit signatures JSON root is not an object');
+    }
+    const invalid = entriesFromArray(parsed.invalid, 'invalid_signature');
+    const missing = entriesFromArray(parsed.missing, 'missing');
+    // Best-effort total. npm has shipped a few different field names over the
+    // years (`packagesAudited`, `count`, etc.). Fall back to invalid+missing
+    // when nothing usable is reported.
+    const totalChecked = numberField(parsed, 'packagesAudited') ??
+        numberField(parsed, 'totalChecked') ??
+        (isRecord(parsed.count) ? numberField(parsed.count, 'total') : undefined) ??
+        invalid.length + missing.length;
+    return { invalid, missing, totalChecked };
+}
+export function createSignaturesScanner(deps) {
+    return {
+        iocClass: 'signatures',
+        async scan(ctx) {
+            const { stdout, exitCode } = await deps.runNpmAuditSignatures(ctx.repoPath);
+            const report = parseSignaturesReport(stdout);
+            const findings = [];
+            const emit = (entry) => {
+                findings.push({
+                    iocClass: 'signatures',
+                    severity: 'medium',
+                    identifier: `${entry.name}@${entry.version}`,
+                    payload: {
+                        ...entry.raw,
+                        reason: entry.reason,
+                    },
+                });
+            };
+            for (const entry of report.invalid)
+                emit(entry);
+            for (const entry of report.missing)
+                emit(entry);
+            const coverage = {
+                packages_checked: report.totalChecked,
+                unverified: report.invalid.length + report.missing.length,
+                missing: report.missing.length,
+                invalid: report.invalid.length,
+                npm_exit_code: exitCode,
+            };
+            return { findings, coverage };
+        },
+    };
+}
+/** Default scanner wired to the real npm CLI. */
+export const signaturesScanner = createSignaturesScanner({
+    runNpmAuditSignatures: defaultRunNpmAuditSignatures,
+});
+//# sourceMappingURL=signatures.js.map

package/dist/scanners/signatures.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signatures.js","sourceRoot":"","sources":["../../src/scanners/signatures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAoB3C,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEtD,kEAAkE;AAClE,MAAM,4BAA4B,GAA0B,CAAC,GAAG,EAAE,EAAE,CAClE,IAAI,OAAO,CAA2B,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;IACxD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE;QAC5D,GAAG;QACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;QAC5B,IAAI,CAAC;YAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;IACvD,CAAC,EAAE,kBAAkB,CAAC,CAAC;IAEvB,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QACxB,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,CAAC,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;QACzB,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAaL,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,WAAW,CAAC,MAA+B,EAAE,GAAW;IAC/D,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACtB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC/C,CAAC;AAED,SAAS,WAAW,CAAC,MAA+B,EAAE,GAAW;IAC/D,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACtB,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACrE,CAAC;AAED,SAAS,gBAAgB,CACvB,KAAc,EACd,cAAsB;IAEtB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACrC,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS;QAC9B,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;YAAE,SAAS;QAChC,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,cAAc,CAAC;QAC7D,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAc;IAKlD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8CAA+C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1F,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACtE,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAE5D,0EAA0E;IAC1E,yEAAyE;IACzE,mCAAmC;IACnC,MAAM,YAAY,GAChB,WAAW,CAAC,MAAM,EAAE,iBAAiB,CAAC;QACtC,WAAW,CAAC,MAAM,EAAE,cAAc,CAAC;QACnC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACzE,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAElC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAUD,MAAM,UAAU,uBAAuB,CAAC,IAA2B;IACjE,OAAO;QACL,QAAQ,EAAE,YAAY;QACtB,KAAK,CAAC,IAAI,CAAC,GAAgB;YACzB,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC5E,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;YAE7C,MAAM,QAAQ,GAAmB,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,CAAC,KAAqB,EAAE,EAAE;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE;oBAC5C,OAAO,EAAE;wBACP,GAAG,KAAK,CAAC,GAAG;wBACZ,MAAM,EAAE,KAAK,CAAC,MAAM;qBACrB;iBACF,CAAC,CAAC;YACL,CAAC,CAAC;YACF,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO;gBAAE,IAAI,CAAC,KAAK,CAAC,CAAC;YAChD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO;gBAAE,IAAI,CAAC,KAAK,CAAC,CAAC;YAEhD,MAAM,QAAQ,GAA4B;gBACxC,gBAAgB,EAAE,MAAM,CAAC,YAAY;gBACrC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM;gBACzD,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;gBAC9B,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;gBAC9B,aAAa,EAAE,QAAQ;aACxB,CAAC;YAEF,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;QAChC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,iDAAiD;AACjD,MAAM,CAAC,MAAM,iBAAiB,GAAY,uBAAuB,CAAC;IAChE,qBAAqB,EAAE,4BAA4B;CACpD,CAAC,CAAC"}

package/dist/scanners/workflow.d.ts

@@ -0,0 +1,34 @@
+/**
+ * GitHub Actions workflow scanner -- security-scan engine plugin.
+ *
+ * Detects the `pull_request_target` + checkout-head + cache-write pattern
+ * that lets a fork PR's untrusted code execute with the base repo's
+ * elevated permissions and secrets, and persists artifacts (caches)
+ * back to the base repo. This is the canonical "pwn request" supply
+ * chain vulnerability.
+ *
+ * Matched when ALL three are true for a single job:
+ *   1. Workflow `on:` includes `pull_request_target` (string | array | object).
+ *   2. The job contains an `actions/checkout@*` step whose `with.ref` is
+ *      one of `${{ github.event.pull_request.head.sha }}` or
+ *      `${{ github.event.pull_request.head.ref }}`.
+ *   3. The job contains a cache-write step:
+ *        - `actions/cache@*` (any non-`restore`-suffixed action), or
+ *        - `actions/setup-*` step with `with.cache: true` (or any truthy
+ *          string), or
+ *        - any step after the head-ref checkout whose `with.cache` is truthy.
+ *
+ * Pattern reference: verification-engine.ts (Deps + default factory).
+ *
+ * @module scanners/workflow
+ */
+import type { Scanner } from '../security-scan-engine.js';
+export interface WorkflowScannerDeps {
+    /** List workflow files in the repo's `.github/workflows/` directory. */
+    readWorkflowsDir: (repoPath: string) => Promise<string[]>;
+    /** Read a workflow file's contents as UTF-8. */
+    readFile: (path: string) => Promise<string>;
+}
+export declare function createWorkflowScanner(deps?: WorkflowScannerDeps): Scanner;
+export declare const workflowScanner: Scanner;
+//# sourceMappingURL=workflow.d.ts.map

package/dist/scanners/workflow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workflow.d.ts","sourceRoot":"","sources":["../../src/scanners/workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAKH,OAAO,KAAK,EAAyC,OAAO,EAAE,MAAM,4BAA4B,CAAC;AAMjG,MAAM,WAAW,mBAAmB;IAClC,wEAAwE;IACxE,gBAAgB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1D,gDAAgD;IAChD,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC7C;AAmKD,wBAAgB,qBAAqB,CAAC,IAAI,GAAE,mBAAiC,GAAG,OAAO,CA4DtF;AAWD,eAAO,MAAM,eAAe,EAAE,OAAiC,CAAC"}