@westbayberry/dg 1.0.13 → 1.0.14

package/README.md

@@ -1,6 +1,6 @@
 # @westbayberry/dg
 
-Supply chain security scanner for npm and Python dependencies. Detects malicious packages, typosquatting, dependency confusion, and 20+ attack patterns before they reach production.
+Supply chain security scanner for npm and Python dependencies. Scans lockfile changes against 26+ detectors to catch malicious packages, typosquatting, dependency confusion, credential theft, and obfuscated code before they reach production.
 
 ## Install
 
@@ -8,6 +8,8 @@ Supply chain security scanner for npm and Python dependencies. Detects malicious
 npm install -g @westbayberry/dg
 ```
 
+Requires Node.js 18+.
+
 ## Quick Start
 
 ```bash
@@ -15,48 +17,93 @@ dg login
 dg scan
 ```
 
-The CLI auto-discovers projects in your directory tree — npm lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) and Python dependency files (requirements.txt, Pipfile.lock, poetry.lock). If multiple projects are found, you pick which ones to scan.
+The CLI walks your directory tree and finds npm lockfiles (`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`) and Python dependency files (`requirements.txt`, `Pipfile.lock`, `poetry.lock`). If multiple projects are found, an interactive selector lets you pick which ones to scan.
+
+Only changed packages are scanned by default — `dg` diffs your lockfile against the git merge-base with `main` to find what's new or updated.
 
 ## Commands
 
 ```
-dg scan [options]        Scan dependencies (auto-discovers npm + Python projects)
-dg npm install <pkg>     Scan packages before installing
+dg scan [options]        Scan dependencies for supply chain threats
+dg npm install <pkg>     Scan packages before installing them
 dg login                 Authenticate with your WestBayBerry account
 dg logout                Remove saved credentials
-dg hook install          Install git pre-commit hook to scan lockfile changes
+dg hook install          Install git pre-commit hook
 dg hook uninstall        Remove the pre-commit hook
 dg update                Check for and install the latest version
 dg wrap                  Show instructions to alias npm to dg
 ```
 
-### Scan Options
+## What It Detects
+
+Each package is analyzed by 26+ detectors covering:
+
+| Category | Examples |
+|----------|----------|
+| **Code execution** | `child_process` spawning, `eval`/`Function` calls, shell command injection |
+| **Network exfiltration** | HTTP/WebSocket/DNS/gRPC calls, URL obfuscation, data exfil patterns |
+| **Credential theft** | Reading SSH keys, browser tokens, cloud credentials, `.npmrc`/`.pypirc` |
+| **Install scripts** | Suspicious `preinstall`/`postinstall` hooks, download-and-execute chains |
+| **Obfuscation** | Hex/unicode encoding, string reconstruction, phantom eval, minified payloads |
+| **Supply chain** | Typosquatting, dependency confusion, version squatting, borrowed repo URLs |
+| **Persistence** | Writing to shell configs, cron jobs, systemd units, SSH `authorized_keys` |
+| **Behavioral** | Time-gated payloads, purpose mismatch, runtime evasion, binary addons |
+| **Reputation** | Missing/fake GitHub repos, ghost packages, low download counts |
+
+Findings include severity (1–5), confidence (0–1), and code evidence with file paths and line numbers.
+
+## Scan Options
 
 | Flag | Default | Description |
 |------|---------|-------------|
 | `--mode <mode>` | `warn` | `block` / `warn` / `off` |
-| `--block-threshold <n>` | `70` | Score threshold for blocking |
-| `--warn-threshold <n>` | `60` | Score threshold for warnings |
+| `--block-threshold <n>` | `70` | Score threshold for blocking (0–100) |
+| `--warn-threshold <n>` | `60` | Score threshold for warnings (0–100) |
 | `--max-packages <n>` | `200` | Max packages per scan |
 | `--allowlist <pkgs>` | | Comma-separated packages to skip |
-| `--json` | | Output JSON for CI parsing |
+| `--json` | | Output raw JSON (for CI parsing) |
 | `--scan-all` | | Scan all packages, not just changed |
 | `--base-lockfile <path>` | | Explicit base lockfile for diff |
 | `--workspace <dir>` | | Scan a specific workspace subdirectory |
-| `--debug` | | Show diagnostic output |
+| `--debug` | | Show discovery, batching, and timing info |
 
-### Exit Codes
+## Exit Codes
 
 | Code | Meaning | CI Action |
 |------|---------|-----------|
 | `0` | Pass | Continue |
 | `1` | Warning | Advisory — review recommended |
 | `2` | Block | Fail the pipeline |
-| `3` | Error | Internal error |
+| `3` | Error | Internal error (auth, network, etc.) |
 
-## CI Setup
+## Configuration
+
+Settings can come from CLI flags, environment variables, or a `.dgrc.json` config file (searched in the current directory, then `~/`). CLI flags take highest precedence.
+
+### `.dgrc.json`
+
+```json
+{
+  "apiKey": "dg_...",
+  "mode": "block",
+  "blockThreshold": 70,
+  "warnThreshold": 60,
+  "maxPackages": 200,
+  "allowlist": ["known-safe-pkg"]
+}
+```
+
+### Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `DG_API_URL` | API base URL |
+| `DG_MODE` | `block` / `warn` / `off` |
+| `DG_ALLOWLIST` | Comma-separated allowlist |
+| `DG_DEBUG` | Set to `1` for diagnostic output |
+| `DG_WORKSPACE` | Workspace subdirectory |
 
-Authenticate first, then add the scan to your pipeline:
+## CI Setup
 
 ### GitHub Actions
 
@@ -74,6 +121,18 @@ npx @westbayberry/dg login
 npx @westbayberry/dg scan --mode block --json
 ```
 
+The `--json` flag outputs machine-readable results. Exit code `2` signals a blocked scan — wire it into your pipeline to fail the build.
+
+### Monorepo / Workspace
+
+Scan a specific workspace:
+
+```bash
+dg scan --workspace packages/api
+```
+
+Or let `dg` discover all projects and pick interactively.
+
 ## Git Hook
 
 Block commits that introduce risky dependencies:
@@ -82,22 +141,34 @@ Block commits that introduce risky dependencies:
 dg hook install
 ```
 
-This installs a pre-commit hook that runs `dg scan --mode block` whenever a lockfile change is staged. Use `dg hook uninstall` to remove it.
+This adds a pre-commit hook that runs `dg scan --mode block` whenever a lockfile is staged. If any package scores above the block threshold, the commit is rejected. Remove it with `dg hook uninstall`.
 
 ## npm Wrapper
 
-Scan packages before installing:
+Scan packages before they're installed:
 
 ```bash
 dg npm install express lodash
 ```
 
-Use `--dg-force` to bypass a block. Or alias npm globally:
+Packages are resolved and scanned through the API. If a package is blocked, you'll get a confirmation prompt — press `y` to install anyway, or use `--dg-force` to skip the prompt.
+
+To make this the default for all `npm install` commands:
 
 ```bash
 echo 'alias npm="dg npm"' >> ~/.zshrc
 ```
 
+## Python Support
+
+Python projects are detected alongside npm. The scanner reads:
+
+- `requirements.txt` — `name==version` pins
+- `Pipfile.lock` — default and develop sections
+- `poetry.lock` — `[[package]]` entries
+
+Python packages are analyzed through the same detection engine against the PyPI registry.
+
 ## Links
 
 - [Dashboard](https://westbayberry.com/dashboard)

package/dist/index.mjs

@@ -39587,6 +39587,144 @@ var init_lockfile = __esm({
   }
 });
 
+// src/discover.ts
+var discover_exports = {};
+__export(discover_exports, {
+  discoverProjects: () => discoverProjects
+});
+import { existsSync as existsSync6, readFileSync as readFileSync7, readdirSync, statSync } from "node:fs";
+import { join as join6, relative, basename } from "node:path";
+function discoverProjects(root) {
+  const projects = [];
+  walk(root, root, 0, projects);
+  return projects.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+}
+function walk(dir, root, depth, out) {
+  if (depth > MAX_DEPTH) return;
+  for (const lockfile of NPM_LOCKFILES) {
+    const lockPath = join6(dir, lockfile);
+    if (existsSync6(lockPath)) {
+      const count = countNpmPackages(lockPath);
+      if (count > 0) {
+        out.push({
+          path: dir,
+          relativePath: relative(root, dir) || ".",
+          ecosystem: "npm",
+          depFile: lockfile,
+          packageCount: count
+        });
+      }
+      break;
+    }
+  }
+  for (const depFile of PYTHON_DEPFILES) {
+    const depPath = join6(dir, depFile);
+    if (existsSync6(depPath)) {
+      const count = countPythonPackages(depPath, depFile);
+      if (count > 0) {
+        out.push({
+          path: dir,
+          relativePath: relative(root, dir) || ".",
+          ecosystem: "pypi",
+          depFile,
+          packageCount: count
+        });
+      }
+      break;
+    }
+  }
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (SKIP_DIRS.has(entry) || entry.startsWith(".")) continue;
+    const full = join6(dir, entry);
+    try {
+      if (statSync(full).isDirectory()) {
+        walk(full, root, depth + 1, out);
+      }
+    } catch {
+    }
+  }
+}
+function countNpmPackages(lockPath) {
+  try {
+    const name = basename(lockPath);
+    const content = readFileSync7(lockPath, "utf-8");
+    if (name === "yarn.lock") {
+      return (content.match(/^\S.*:$/gm) || []).length;
+    }
+    if (name === "pnpm-lock.yaml") {
+      return (content.match(/^\s{2}'?[/@]/gm) || []).length || estimateLines(content, 200);
+    }
+    const parsed = JSON.parse(content);
+    if (parsed.packages) {
+      return Object.keys(parsed.packages).filter((k) => k !== "").length;
+    }
+    if (parsed.dependencies) {
+      return Object.keys(parsed.dependencies).length;
+    }
+    return 0;
+  } catch {
+    return 0;
+  }
+}
+function countPythonPackages(depPath, depFile) {
+  try {
+    const content = readFileSync7(depPath, "utf-8");
+    if (depFile === "Pipfile.lock") {
+      const parsed = JSON.parse(content);
+      const defaultCount = Object.keys(parsed.default || {}).length;
+      const devCount = Object.keys(parsed.develop || {}).length;
+      return defaultCount + devCount;
+    }
+    if (depFile === "poetry.lock") {
+      return (content.match(/^\[\[package\]\]/gm) || []).length;
+    }
+    return content.split("\n").filter(
+      (line) => line.trim() && !line.trim().startsWith("#") && !line.trim().startsWith("-")
+    ).length;
+  } catch {
+    return 0;
+  }
+}
+function estimateLines(content, fallback) {
+  const lines = content.split("\n").length;
+  return lines > 20 ? Math.floor(lines / 4) : fallback;
+}
+var SKIP_DIRS, NPM_LOCKFILES, PYTHON_DEPFILES, MAX_DEPTH;
+var init_discover = __esm({
+  "src/discover.ts"() {
+    "use strict";
+    SKIP_DIRS = /* @__PURE__ */ new Set([
+      "node_modules",
+      ".venv",
+      "venv",
+      "__pycache__",
+      ".git",
+      ".tox",
+      ".eggs",
+      "dist",
+      "build",
+      ".next",
+      ".nuxt",
+      "coverage",
+      ".cache",
+      ".pytest_cache",
+      ".mypy_cache",
+      "validation-results",
+      "test-fixtures",
+      "fixtures"
+    ]);
+    NPM_LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "npm-shrinkwrap.json"];
+    PYTHON_DEPFILES = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
+    MAX_DEPTH = 8;
+  }
+});
+
 // src/static-output.ts
 var static_output_exports = {};
 __export(static_output_exports, {
@@ -39750,7 +39888,24 @@ async function runStatic(config) {
   const discovery = discoverChanges(process.cwd(), config);
   dbg(`discovery method: ${discovery.method}`);
   if (discovery.packages.length === 0) {
-    process.stderr.write(import_chalk4.default.dim("  No package changes detected.\n"));
+    const { discoverProjects: discoverProjects2 } = await Promise.resolve().then(() => (init_discover(), discover_exports));
+    const subProjects = discoverProjects2(process.cwd());
+    if (subProjects.length > 0) {
+      process.stderr.write(import_chalk4.default.yellow("  No packages found in current directory, but found projects in subdirectories:\n\n"));
+      for (const proj of subProjects) {
+        const pkgLabel = proj.packageCount === 1 ? "package" : "packages";
+        process.stderr.write(
+          import_chalk4.default.white(`    ${proj.ecosystem}  `) + import_chalk4.default.cyan(proj.relativePath) + import_chalk4.default.dim(` (${proj.packageCount} ${pkgLabel})
+`)
+        );
+      }
+      process.stderr.write(import_chalk4.default.dim("\n  Use --workspace to scan a specific project:\n"));
+      process.stderr.write(import_chalk4.default.dim(`    dg scan --workspace ${subProjects[0].relativePath}${config.scanAll ? " --scan-all" : ""}
+
+`));
+    } else {
+      process.stderr.write(import_chalk4.default.dim("  No package changes detected.\n"));
+    }
     process.exit(0);
   }
   const packages = discovery.packages.filter(
@@ -40037,14 +40192,14 @@ __export(hook_exports, {
 });
 import { execFileSync as execFileSync2 } from "node:child_process";
 import {
-  existsSync as existsSync6,
-  readFileSync as readFileSync7,
+  existsSync as existsSync7,
+  readFileSync as readFileSync8,
   writeFileSync as writeFileSync3,
   mkdirSync,
   chmodSync as chmodSync2,
   unlinkSync as unlinkSync2
 } from "node:fs";
-import { join as join6 } from "node:path";
+import { join as join7 } from "node:path";
 function findGitDir() {
   try {
     return execFileSync2("git", ["rev-parse", "--git-dir"], {
@@ -40057,11 +40212,11 @@ function findGitDir() {
 }
 function installHook() {
   const gitDir = findGitDir();
-  const hooksDir = join6(gitDir, "hooks");
-  const hookPath = join6(hooksDir, "pre-commit");
+  const hooksDir = join7(gitDir, "hooks");
+  const hookPath = join7(hooksDir, "pre-commit");
   mkdirSync(hooksDir, { recursive: true });
-  if (existsSync6(hookPath)) {
-    const existing = readFileSync7(hookPath, "utf-8");
+  if (existsSync7(hookPath)) {
+    const existing = readFileSync8(hookPath, "utf-8");
     if (existing.includes(HOOK_MARKER)) {
       process.stderr.write("  Hook already installed.\n");
       return;
@@ -40081,12 +40236,12 @@ function installHook() {
 }
 function uninstallHook() {
   const gitDir = findGitDir();
-  const hookPath = join6(gitDir, "hooks", "pre-commit");
-  if (!existsSync6(hookPath)) {
+  const hookPath = join7(gitDir, "hooks", "pre-commit");
+  if (!existsSync7(hookPath)) {
     process.stderr.write("  No hook to remove.\n");
     return;
   }
-  const content = readFileSync7(hookPath, "utf-8");
+  const content = readFileSync8(hookPath, "utf-8");
   if (!content.includes(HOOK_MARKER)) {
     process.stderr.write(
       "  No Dependency Guardian hook found in pre-commit.\n"
@@ -40807,140 +40962,6 @@ var init_NpmWrapperApp = __esm({
   }
 });
 
-// src/discover.ts
-import { existsSync as existsSync7, readFileSync as readFileSync8, readdirSync, statSync } from "node:fs";
-import { join as join7, relative, basename } from "node:path";
-function discoverProjects(root) {
-  const projects = [];
-  walk(root, root, 0, projects);
-  return projects.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
-}
-function walk(dir, root, depth, out) {
-  if (depth > MAX_DEPTH) return;
-  for (const lockfile of NPM_LOCKFILES) {
-    const lockPath = join7(dir, lockfile);
-    if (existsSync7(lockPath)) {
-      const count = countNpmPackages(lockPath);
-      if (count > 0) {
-        out.push({
-          path: dir,
-          relativePath: relative(root, dir) || ".",
-          ecosystem: "npm",
-          depFile: lockfile,
-          packageCount: count
-        });
-      }
-      break;
-    }
-  }
-  for (const depFile of PYTHON_DEPFILES) {
-    const depPath = join7(dir, depFile);
-    if (existsSync7(depPath)) {
-      const count = countPythonPackages(depPath, depFile);
-      if (count > 0) {
-        out.push({
-          path: dir,
-          relativePath: relative(root, dir) || ".",
-          ecosystem: "pypi",
-          depFile,
-          packageCount: count
-        });
-      }
-      break;
-    }
-  }
-  let entries;
-  try {
-    entries = readdirSync(dir);
-  } catch {
-    return;
-  }
-  for (const entry of entries) {
-    if (SKIP_DIRS.has(entry) || entry.startsWith(".")) continue;
-    const full = join7(dir, entry);
-    try {
-      if (statSync(full).isDirectory()) {
-        walk(full, root, depth + 1, out);
-      }
-    } catch {
-    }
-  }
-}
-function countNpmPackages(lockPath) {
-  try {
-    const name = basename(lockPath);
-    const content = readFileSync8(lockPath, "utf-8");
-    if (name === "yarn.lock") {
-      return (content.match(/^\S.*:$/gm) || []).length;
-    }
-    if (name === "pnpm-lock.yaml") {
-      return (content.match(/^\s{2}'?[/@]/gm) || []).length || estimateLines(content, 200);
-    }
-    const parsed = JSON.parse(content);
-    if (parsed.packages) {
-      return Object.keys(parsed.packages).filter((k) => k !== "").length;
-    }
-    if (parsed.dependencies) {
-      return Object.keys(parsed.dependencies).length;
-    }
-    return 0;
-  } catch {
-    return 0;
-  }
-}
-function countPythonPackages(depPath, depFile) {
-  try {
-    const content = readFileSync8(depPath, "utf-8");
-    if (depFile === "Pipfile.lock") {
-      const parsed = JSON.parse(content);
-      const defaultCount = Object.keys(parsed.default || {}).length;
-      const devCount = Object.keys(parsed.develop || {}).length;
-      return defaultCount + devCount;
-    }
-    if (depFile === "poetry.lock") {
-      return (content.match(/^\[\[package\]\]/gm) || []).length;
-    }
-    return content.split("\n").filter(
-      (line) => line.trim() && !line.trim().startsWith("#") && !line.trim().startsWith("-")
-    ).length;
-  } catch {
-    return 0;
-  }
-}
-function estimateLines(content, fallback) {
-  const lines = content.split("\n").length;
-  return lines > 20 ? Math.floor(lines / 4) : fallback;
-}
-var SKIP_DIRS, NPM_LOCKFILES, PYTHON_DEPFILES, MAX_DEPTH;
-var init_discover = __esm({
-  "src/discover.ts"() {
-    "use strict";
-    SKIP_DIRS = /* @__PURE__ */ new Set([
-      "node_modules",
-      ".venv",
-      "venv",
-      "__pycache__",
-      ".git",
-      ".tox",
-      ".eggs",
-      "dist",
-      "build",
-      ".next",
-      ".nuxt",
-      "coverage",
-      ".cache",
-      ".pytest_cache",
-      ".mypy_cache",
-      "validation-results",
-      "test-fixtures",
-      "fixtures"
-    ]);
-    NPM_LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "npm-shrinkwrap.json"];
-    PYTHON_DEPFILES = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
-    MAX_DEPTH = 8;
-  }
-});
-
 // src/ui/hooks/useScan.ts
 function reducer3(_state, action) {
   switch (action.type) {
@@ -40973,6 +40994,10 @@ function useScan(config) {
       const discovery = discoverChanges(process.cwd(), config);
       const packages = discovery.packages.filter((p) => !config.allowlist.includes(p.name));
       if (packages.length === 0) {
+        if (discovery.packages.length === 0 && projects.length > 0) {
+          dispatch({ type: "PROJECTS_FOUND", projects });
+          return;
+        }
         const message = discovery.packages.length === 0 ? "No package changes detected." : "All changed packages are allowlisted.";
         dispatch({ type: "DISCOVERY_EMPTY", message });
         return;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@westbayberry/dg",
-  "version": "1.0.13",
-  "description": "Supply chain security scanner — scan npm dependencies in any CI or terminal",
+  "version": "1.0.14",
+  "description": "Supply chain security scanner for npm and Python dependencies — detects malicious packages, typosquatting, dependency confusion, and 26+ attack patterns",
   "bin": {
     "dependency-guardian": "dist/index.mjs",
     "dg": "dist/index.mjs"
@@ -15,10 +15,14 @@
   "keywords": [
     "security",
     "npm",
+    "pypi",
     "supply-chain",
     "scanner",
     "cli",
-    "dependencies"
+    "dependencies",
+    "malware",
+    "typosquatting",
+    "dependency-confusion"
   ],
   "publishConfig": {
     "access": "public"