pqcheck 0.7.7 → 0.7.9

package/README.md

@@ -12,9 +12,13 @@ The same scanner that powers [quantapact.com](https://quantapact.com), the brows
 
 ---
 
-## What's new in 0.7.6
+## What's new in 0.7.9
 
-User-Agent now consistently tags the subcommand on every request (`pqcheck-cli/0.7.6 (scan)`, `(lock)`, `(deps)`, `(history)`, `(watch)`). Lets the server aggregate adoption by subcommand. No new data collected — the subcommand token rides inside the User-Agent header that has always been logged anonymously. See [privacy](https://quantapact.com/privacy) and [CHANGELOG.md](./CHANGELOG.md).
+**CSP verdict + vendor labels on `pqcheck deps`.** The supply-chain table now shows a friendly vendor label (`New Relic · errors` / `Cloudflare · cdn` / `Adobe Fonts · fonts`) per host instead of raw `bam.nr-data.net`-style hostnames, plus a one-line site-wide CSP verdict above the table (`✗ No CSP enforcement` / `⚠ CSP is permissive` / `✓ Strict CSP enforced`). Same data shape ships on `/r/<domain>` and in the browser extension — cross-surface parity for the supply-chain story. See [CHANGELOG.md](./CHANGELOG.md).
+
+## What's new in 0.7.8
+
+**Supply-chain change detection in CI** — `pqcheck deps <domain> --baseline file.json` compares the current third-party host list to a stored baseline. New hosts since the last accepted state are flagged `*NEW*` in the pretty table and `"isNew": true` in JSON. Add `--fail-on-new` to exit `4` if anything new appeared — the Polyfill.io-style CI gate that fails PRs introducing third-party scripts until you deliberately accept them with `--write-baseline`. Each row also shows an `SRI` column (on/off/n/a) so you can see which scripts allow silent vendor-side content swaps. See [CHANGELOG.md](./CHANGELOG.md).
 
 ---
 
@@ -81,6 +85,9 @@ npx pqcheck --file domains.txt                Bulk scan from a newline-separated
 - `-o <dir>` — Output directory for `--lock` files
 - `--max=<N>` — Max third parties to scan (default 20)
 - `--allowlist <file>` — Exit **3** if any third-party not in allowlist (CI vendor-risk gate)
+- `--baseline <file>` — Compare current hosts to baseline JSON; flag `*NEW*` and surface `isNew` in JSON output
+- `--write-baseline` — Overwrite `--baseline` file with current scan (use once to capture initial state)
+- `--fail-on-new` — Exit **4** if any new hosts appeared since baseline (CI supply-chain change gate)
 
 **`pqcheck lock`:**
 - `-o <dir>` — Output directory
@@ -98,6 +105,7 @@ npx pqcheck --file domains.txt                Bulk scan from a newline-separated
 | `1` | Usage / network / scan error |
 | `2` | Score met or exceeded `--threshold`, or `diff` detected regression |
 | `3` | Allowlist violation (`pqcheck deps --allowlist`) |
+| `4` | Supply-chain change detected — new host(s) since baseline (`pqcheck deps --fail-on-new`) |
 
 ## Examples
 
@@ -120,6 +128,12 @@ npx pqcheck deps mycompany.com --lock
 # Vendor-risk CI gate — fail PR if any third-party not in allowlist
 npx pqcheck deps mycompany.com --allowlist allowed-vendors.txt
 
+# Capture initial supply-chain baseline (run once, commit the JSON file)
+npx pqcheck deps mycompany.com --baseline .pqcheck-baseline.json --write-baseline
+
+# Supply-chain change gate — fail PR if any new third-party script appeared since baseline
+npx pqcheck deps mycompany.com --baseline .pqcheck-baseline.json --fail-on-new
+
 # Score history sparkline
 npx pqcheck history mycompany.com
 

package/bin/pqcheck.js

@@ -7,7 +7,7 @@
 // =============================================================================
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.7.7";
+const VERSION = "0.7.9";
 
 const ANSI = {
   reset:   "\x1b[0m",
@@ -572,6 +572,9 @@ ${color("bold", "Subcommand-specific:")}
     -o <dir>                                     Output directory for --lock files
     --max=<N>                                    Max third parties to scan (default 20)
     --allowlist <file>                           Exit 3 if any third-party not in allowlist (CI gate)
+    --baseline <file>                            Compare current hosts to baseline JSON; mark new ones
+    --write-baseline                             Overwrite the --baseline file with current scan
+    --fail-on-new                                Exit 4 if any NEW host since baseline (Polyfill.io-style supply-chain CI gate)
   pqcheck lock:
     -o <dir>                                     Output directory
     --stdout                                     Print JSON to stdout instead of writing files
@@ -584,12 +587,15 @@ ${color("bold", "Exit codes:")}
   1   usage / network / scan error
   2   score met or exceeded --threshold (or diff regression)
   3   allowlist violation (deps --allowlist)
+  4   supply-chain change detected — new host(s) since baseline (deps --fail-on-new)
 
 ${color("bold", "Examples:")}
   npx pqcheck chase.com
   npx pqcheck mybank.com --threshold 7      ${color("dim", "# fail CI if score ≥ 7")}
   npx pqcheck deps stripe.com --lock
   npx pqcheck deps acme.com --allowlist allowed-vendors.txt   ${color("dim", "# CI vendor-risk gate")}
+  npx pqcheck deps acme.com --baseline .pqcheck-baseline.json --write-baseline   ${color("dim", "# capture initial state")}
+  npx pqcheck deps acme.com --baseline .pqcheck-baseline.json --fail-on-new      ${color("dim", "# fail PR on new third party")}
   npx pqcheck diff main.lock pr.lock        ${color("dim", "# regression detection in PR")}
   npx pqcheck history quantapact.com
   npx pqcheck cert ./mycert.pem             ${color("dim", "# offline cert analysis")}
@@ -887,6 +893,36 @@ async function runDepsCommand(args) {
     }
   }
 
+  // Baseline support (v0.7.8+): --baseline <path> compares this scan's third
+  // parties to a stored baseline JSON file. New hosts get a NEW flag in
+  // output. With --fail-on-new, the CLI exits with code 4 if any new hosts
+  // appeared — turning the scan into a Polyfill.io-style supply-chain change
+  // detector for CI pipelines. --write-baseline overwrites the baseline file
+  // with the current scan's hosts (use after deliberately adding a vendor).
+  const baselineIdx = args.indexOf("--baseline");
+  const baselinePath = baselineIdx >= 0 ? args[baselineIdx + 1] : null;
+  const writeBaseline = args.includes("--write-baseline");
+  const failOnNew = args.includes("--fail-on-new");
+  let baselineHosts = null;
+  if (baselinePath) {
+    try {
+      const fs2 = await import("node:fs/promises");
+      const raw = await fs2.readFile(baselinePath, "utf8");
+      const parsed = JSON.parse(raw);
+      baselineHosts = new Set((parsed.thirdParties || parsed.hosts || []).map((h) =>
+        typeof h === "string" ? h.toLowerCase() : (h.host || "").toLowerCase()
+      ).filter(Boolean));
+    } catch (err) {
+      // File missing is OK on first run — treat as empty baseline (everything is "new")
+      if (err && err.code === "ENOENT") {
+        baselineHosts = new Set();
+      } else {
+        console.error(color("red", `error reading --baseline: ${err.message}`));
+        process.exit(1);
+      }
+    }
+  }
+
   const positional = args.filter((a) => !a.startsWith("-") && a !== outDir);
   const domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
   if (!domain || !isValidDomain(domain)) {
@@ -896,12 +932,15 @@ async function runDepsCommand(args) {
   }
 
   if (!json) process.stderr.write(color("dim", `Fetching ${domain} HTML...`));
-  const html = await fetchPageHTML(domain);
+  const fetched = await fetchPageHTML(domain);
   if (!json) process.stderr.write("\r\x1b[K");
-  if (!html) {
+  if (!fetched) {
     console.error(color("red", `error: could not fetch https://${domain}/`));
     process.exit(1);
   }
+  const { html, headerCsp } = fetched;
+  const metaCsp = extractMetaCsp(html);
+  const cspVerdict = classifyCsp(headerCsp, metaCsp);
 
   const refs = extractThirdPartyRefs(html, domain);
   if (refs.length === 0) {
@@ -919,8 +958,12 @@ async function runDepsCommand(args) {
   // Group by host, dedupe
   const byHost = new Map();
   for (const r of refs) {
-    if (!byHost.has(r.host)) byHost.set(r.host, { host: r.host, types: new Set(), occurrences: 0 });
+    if (!byHost.has(r.host)) byHost.set(r.host, { host: r.host, types: new Set(), occurrences: 0, anyMissingSri: false, allHttps: true });
     const e = byHost.get(r.host);
+    // SRI status — host is flagged "no SRI" if ANY reference to it lacks integrity.
+    // Only counts for script type (iframes/links/imgs don't support SRI).
+    if (r.type === "script" && !r.sri) e.anyMissingSri = true;
+    if (!r.loadedOverHttps) e.allHttps = false;
     e.types.add(r.type);
     e.occurrences += 1;
   }
@@ -970,19 +1013,51 @@ async function runDepsCommand(args) {
 
   const summary = buildDepsSummary(results);
 
+  // Baseline diff (v0.7.8+): compare current hosts to baseline hosts.
+  // newHosts = hosts in current scan that weren't in the baseline.
+  // missingHosts = hosts in baseline that aren't in the current scan.
+  // Each result gets a `.isNew` flag for downstream rendering.
+  let newHosts = [];
+  let missingHosts = [];
+  if (baselineHosts) {
+    const currentHostSet = new Set(results.map((r) => r.host));
+    newHosts = results.map((r) => r.host).filter((h) => !baselineHosts.has(h));
+    missingHosts = Array.from(baselineHosts).filter((h) => !currentHostSet.has(h));
+    // Don't paint every row as *NEW* on the first run (empty baseline) — there
+    // is no prior state to be new relative to. The summary line still says
+    // "first run; all hosts will be captured" so the user knows.
+    const baselineIsFirstRun = baselineHosts.size === 0;
+    for (const r of results) {
+      r.isNew = baselineIsFirstRun ? false : !baselineHosts.has(r.host);
+    }
+  }
+
   // Build manifest
   const manifest = {
     $schema: "https://quantapact.com/schemas/deps/v1",
-    schemaVersion: "1.0",
+    schemaVersion: "1.2", // bumped for CSP + vendor classification fields
     domain,
     scannedAt: new Date().toISOString(),
     tool: "pqcheck-cli",
     toolVersion: VERSION,
     summary,
+    csp: {
+      quality: cspVerdict.quality,           // "absent" | "weak" | "strict"
+      source: cspVerdict.source,             // "header" | "meta" | null
+    },
+    baseline: baselineHosts ? {
+      file: baselinePath,
+      newHosts,
+      missingHosts,
+      isFirstRun: baselineHosts.size === 0,
+    } : null,
     thirdParties: results.map((r) => ({
       host: r.host,
       types: r.types,
       occurrences: r.occurrences,
+      sri: { allScriptsHaveSri: !r.anyMissingSri, allHttps: r.allHttps },
+      vendor: classifyVendor(r.host),        // { name, category } or null
+      isNew: r.isNew || false,
       scan: r.scan,
       error: r.error,
     })),
@@ -992,6 +1067,39 @@ async function runDepsCommand(args) {
     },
   };
 
+  // --write-baseline: overwrite the baseline file with current hosts. Used
+  // after deliberately adding a vendor (e.g., 'we added Stripe, update the
+  // baseline so the next scan doesn't flag Stripe as new').
+  if (writeBaseline && baselinePath) {
+    try {
+      const fs2 = await import("node:fs/promises");
+      const baselinePayload = {
+        $schema: "https://quantapact.com/schemas/deps-baseline/v1",
+        domain,
+        capturedAt: new Date().toISOString(),
+        toolVersion: VERSION,
+        thirdParties: results.map((r) => ({ host: r.host, sri: !r.anyMissingSri })),
+      };
+      await fs2.writeFile(baselinePath, JSON.stringify(baselinePayload, null, 2) + "\n", "utf8");
+      if (!json) console.error(color("dim", `✓ wrote baseline to ${baselinePath} (${results.length} hosts)`));
+    } catch (err) {
+      console.error(color("red", `error writing --baseline: ${err.message}`));
+      process.exit(1);
+    }
+  }
+
+  // --fail-on-new: exit code 4 if any new hosts appeared since the baseline.
+  // The CI gate for supply-chain change detection.
+  if (failOnNew && baselineHosts && newHosts.length > 0 && baselineHosts.size > 0) {
+    if (!json) {
+      console.error(color("red", `\nFAIL: ${newHosts.length} new third-party host${newHosts.length > 1 ? "s" : ""} appeared since baseline:`));
+      for (const h of newHosts) console.error(color("red", `  + ${h}`));
+      console.error(color("dim", `\n  Use --write-baseline to accept these additions, or audit them as a potential supply-chain change.`));
+    }
+    if (json) console.log(JSON.stringify(manifest, null, 2));
+    process.exit(4);
+  }
+
   if (json) {
     console.log(JSON.stringify(manifest, null, 2));
     return;
@@ -1001,18 +1109,51 @@ async function runDepsCommand(args) {
   console.log("");
   console.log(`  ${color("bold", "Supply-chain HNDL exposure")} for ${color("violet", domain)}`);
   console.log(`  ${color("dim", `${summary.uniqueOrigins} unique third-party origins · ${summary.totalReferences} references · weakest: ${summary.weakestLink?.host ?? "—"} (${summary.weakestLink?.grade ?? "—"})`)}`);
+  // CSP-quality summary line — single line, site-wide. Mirrors the banner the
+  // extension shows on the Supply Chain tab.
+  if (cspVerdict.quality === "absent") {
+    console.log(`  ${color("red", "✗ No CSP enforcement")} ${color("dim", "— vendor swaps go undetected by the browser")}`);
+  } else if (cspVerdict.quality === "weak") {
+    console.log(`  ${color("yellow", "⚠ CSP is permissive")} ${color("dim", `— uses unsafe-inline / wildcards / data: (${cspVerdict.source})`)}`);
+  } else if (cspVerdict.quality === "strict") {
+    console.log(`  ${color("green", "✓ Strict CSP enforced")} ${color("dim", `(${cspVerdict.source})`)}`);
+  }
+  if (baselineHosts) {
+    const baselineSize = baselineHosts.size;
+    if (baselineSize === 0) {
+      console.log(`  ${color("dim", `Baseline: ${baselinePath} is empty — first run; all hosts will be captured.`)}`);
+    } else {
+      const newColor = newHosts.length > 0 ? "yellow" : "green";
+      const newLabel = newHosts.length > 0 ? `${newHosts.length} NEW since baseline` : "no new hosts since baseline";
+      const missingPart = missingHosts.length > 0 ? `, ${missingHosts.length} missing` : "";
+      console.log(`  ${color(newColor, newLabel)}${color("dim", `${missingPart} · baseline ${baselinePath}`)}`);
+    }
+  }
   console.log("");
-  console.log(`  ${color("dim", "GRADE  HOST                                          PQC  TYPES")}`);
-  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ───  ─────")}`);
+  console.log(`  ${color("dim", "GRADE  HOST                                          VENDOR (CATEGORY)        PQC  SRI  TYPES")}`);
+  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ──────────────────────  ───  ───  ─────")}`);
   for (const r of results) {
     const gradeStr = r.scan?.grade ?? "?";
     const gradeColored = gradeStr === "A" ? color("green", gradeStr) : gradeStr === "F" || gradeStr === "D" ? color("red", gradeStr) : color("yellow", gradeStr);
-    const host = r.host.length > 41 ? r.host.slice(0, 40) + "…" : r.host.padEnd(41, " ");
+    const hostRaw = r.host + (r.isNew ? " *NEW*" : "");
+    const host = hostRaw.length > 41 ? hostRaw.slice(0, 40) + "…" : (r.host.padEnd(r.isNew ? 35 : 41, " ") + (r.isNew ? color("yellow", " *NEW*") : ""));
     const pqc = r.scan?.hybridPQC ? color("green", "yes") : color("dim", "no ");
+    const hasScript = (r.types || []).includes("script");
+    const sriCell = !hasScript ? color("dim", "n/a") : r.anyMissingSri ? color("yellow", "off") : color("green", "on ");
     const types = r.types.join(",");
-    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${pqc}  ${color("dim", types)}`);
+    // Vendor classification — "(New Relic · errors)" beats "bam.nr-data.net"
+    // for comprehension. Padded to 22 chars so the table columns stay aligned.
+    const vendor = classifyVendor(r.host);
+    const vendorStrRaw = vendor ? `${vendor.name} (${vendor.category})` : "—";
+    const vendorTruncated = vendorStrRaw.length > 22 ? vendorStrRaw.slice(0, 21) + "…" : vendorStrRaw.padEnd(22, " ");
+    const vendorColored = vendor ? color("dim", vendorTruncated) : color("dim", vendorTruncated);
+    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${vendorColored}  ${pqc}  ${sriCell}  ${color("dim", types)}`);
   }
   console.log("");
+  if (baselineHosts && baselineHosts.size > 0 && newHosts.length > 0) {
+    console.log(`  ${color("yellow", "⚠")} ${color("dim", `${newHosts.length} new third-party host${newHosts.length > 1 ? "s" : ""} not in baseline. Audit, then run with --write-baseline to accept.`)}`);
+    console.log("");
+  }
   console.log(`  ${color("dim", "Each row scanned via")} ${color("violet", "/api/scan")}${color("dim", " · /methodology/browser-extension explains scoring")}`);
   console.log("");
 
@@ -1062,31 +1203,160 @@ async function fetchPageHTML(domain) {
     });
     clearTimeout(t);
     if (!resp.ok) return null;
-    return await resp.text();
+    const html = await resp.text();
+    // Also capture the CSP header so the deps view can show the site-wide
+    // enforcement level. Report-only header is ignored (not enforced).
+    const headerCsp = resp.headers.get("content-security-policy") || "";
+    return { html, headerCsp };
   } catch {
     return null;
   }
 }
 
+// Scrape <meta http-equiv="Content-Security-Policy" content="..."> from HTML
+// as a fallback when the response header is absent.
+function extractMetaCsp(html) {
+  const re = /<meta[^>]*\bhttp-equiv\s*=\s*["']?content-security-policy["']?[^>]*\bcontent\s*=\s*["']([^"']+)["']/i;
+  const m = html.match(re);
+  return m ? m[1] : "";
+}
+
+// Site-level CSP-quality classifier. Mirrors lib/serviceCatalog.ts and the
+// extension's classifyCsp(). Three buckets: absent / weak / strict.
+function classifyCsp(headerCsp, metaCsp) {
+  const policy = ((headerCsp || "").trim() || (metaCsp || "").trim()).toLowerCase();
+  if (!policy) return { quality: "absent", source: null, raw: "" };
+  const weakSignals = ["'unsafe-inline'", "'unsafe-eval'", "'unsafe-hashes'", " * ", " *;", "data:", "blob:"];
+  const weak = weakSignals.some((sig) => policy.includes(sig));
+  return {
+    quality: weak ? "weak" : "strict",
+    source: (headerCsp || "").trim() ? "header" : "meta",
+    raw: policy,
+  };
+}
+
+// Compact vendor catalog — covers ~50 most common third-party origins so the
+// pretty table can show "(New Relic · errors)" instead of just "bam.nr-data.net".
+// Mirror of lib/serviceCatalog.ts + extension/popup.js SERVICE_CATALOG; keep
+// the three in sync when adding vendors.
+const SERVICE_CATALOG = {
+  "googletagmanager.com": { name: "Google Tag Manager", category: "analytics" },
+  "google-analytics.com": { name: "Google Analytics", category: "analytics" },
+  "googleadservices.com": { name: "Google Ads", category: "ads" },
+  "doubleclick.net": { name: "Google DoubleClick", category: "ads" },
+  "googleapis.com": { name: "Google APIs", category: "cdn" },
+  "gstatic.com": { name: "Google Static", category: "cdn" },
+  "recaptcha.net": { name: "Google reCAPTCHA", category: "captcha" },
+  "youtube.com": { name: "YouTube", category: "social" },
+  "cloudflare.com": { name: "Cloudflare", category: "cdn" },
+  "cdnjs.cloudflare.com": { name: "Cloudflare cdnjs", category: "cdn" },
+  "cloudflareinsights.com": { name: "Cloudflare Web Analytics", category: "analytics" },
+  "challenges.cloudflare.com": { name: "Cloudflare Turnstile", category: "captcha" },
+  "stripe.com": { name: "Stripe", category: "payments" },
+  "js.stripe.com": { name: "Stripe Checkout", category: "payments" },
+  "amazonaws.com": { name: "AWS S3", category: "cdn" },
+  "cloudfront.net": { name: "AWS CloudFront", category: "cdn" },
+  "clarity.ms": { name: "Microsoft Clarity", category: "analytics" },
+  "azureedge.net": { name: "Azure CDN", category: "cdn" },
+  "facebook.com": { name: "Facebook", category: "social" },
+  "facebook.net": { name: "Facebook Pixel", category: "ads" },
+  "fbcdn.net": { name: "Facebook CDN", category: "cdn" },
+  "connect.facebook.net": { name: "Facebook Pixel", category: "ads" },
+  "twitter.com": { name: "Twitter (X)", category: "social" },
+  "linkedin.com": { name: "LinkedIn", category: "social" },
+  "snap.licdn.com": { name: "LinkedIn Tracking", category: "ads" },
+  "use.typekit.net": { name: "Adobe Fonts", category: "fonts" },
+  "typekit.net": { name: "Adobe Fonts", category: "fonts" },
+  "paypal.com": { name: "PayPal", category: "payments" },
+  "auth0.com": { name: "Auth0", category: "auth" },
+  "okta.com": { name: "Okta", category: "auth" },
+  "intercomcdn.com": { name: "Intercom", category: "support" },
+  "zendesk.com": { name: "Zendesk", category: "support" },
+  "sentry.io": { name: "Sentry", category: "errors" },
+  "browser.sentry-cdn.com": { name: "Sentry", category: "errors" },
+  "js-agent.newrelic.com": { name: "New Relic", category: "errors" },
+  "bam.nr-data.net": { name: "New Relic", category: "errors" },
+  "datadoghq.com": { name: "Datadog", category: "errors" },
+  "browser-intake-datadoghq.com": { name: "Datadog RUM", category: "errors" },
+  "mailchimp.com": { name: "Mailchimp", category: "analytics" },
+  "hubspot.com": { name: "HubSpot", category: "analytics" },
+  "js.hubspot.com": { name: "HubSpot Tracking", category: "analytics" },
+  "segment.com": { name: "Segment", category: "analytics" },
+  "amplitude.com": { name: "Amplitude", category: "analytics" },
+  "mxpnl.com": { name: "Mixpanel", category: "analytics" },
+  "hotjar.com": { name: "Hotjar", category: "analytics" },
+  "plausible.io": { name: "Plausible Analytics", category: "analytics" },
+  "js.hcaptcha.com": { name: "hCaptcha", category: "captcha" },
+  "cdn.jsdelivr.net": { name: "jsDelivr CDN", category: "cdn" },
+  "unpkg.com": { name: "unpkg CDN", category: "cdn" },
+  "code.jquery.com": { name: "jQuery CDN", category: "cdn" },
+  "akamaihd.net": { name: "Akamai CDN", category: "cdn" },
+  "akamaized.net": { name: "Akamai CDN", category: "cdn" },
+  "fastly.net": { name: "Fastly CDN", category: "cdn" },
+  "bootstrapcdn.com": { name: "Bootstrap CDN", category: "cdn" },
+  "maxcdn.bootstrapcdn.com": { name: "Bootstrap CDN", category: "cdn" },
+  "cookielaw.org": { name: "OneTrust Cookie Consent", category: "consent" },
+  "cookiebot.com": { name: "Cookiebot", category: "consent" },
+  "vimeo.com": { name: "Vimeo", category: "social" },
+  "shopify.com": { name: "Shopify", category: "ecommerce" },
+  "cdn.shopify.com": { name: "Shopify CDN", category: "ecommerce" },
+  "tiktok.com": { name: "TikTok", category: "social" },
+};
+
+function classifyVendor(host) {
+  if (!host) return null;
+  const lower = host.toLowerCase();
+  if (SERVICE_CATALOG[lower]) return SERVICE_CATALOG[lower];
+  for (const pattern of Object.keys(SERVICE_CATALOG)) {
+    if (lower === pattern || lower.endsWith("." + pattern)) {
+      return SERVICE_CATALOG[pattern];
+    }
+  }
+  return null;
+}
+
 function extractThirdPartyRefs(html, targetDomain) {
   const out = [];
-  // Patterns: <tag ... attr="..."> — non-greedy, single or double quoted
-  const patterns = [
-    { type: "script", re: /<script\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
+  const targetRoot = registeredDomain(targetDomain);
+
+  // For <script> tags specifically, capture the FULL tag so we can extract
+  // the integrity attribute (SRI). Other tag types use simple src/href match.
+  const scriptTagRe = /<script\b([^>]*)>/gi;
+  let m;
+  while ((m = scriptTagRe.exec(html)) !== null) {
+    const attrs = m[1] || "";
+    const srcMatch = attrs.match(/\bsrc\s*=\s*["']([^"']+)["']/i);
+    if (!srcMatch) continue;
+    const integrityMatch = attrs.match(/\bintegrity\s*=\s*["']([^"']+)["']/i);
+    try {
+      const u = new URL(srcMatch[1], `https://${targetDomain}`);
+      if (u.protocol !== "http:" && u.protocol !== "https:") continue;
+      const host = u.hostname.toLowerCase();
+      if (!host || host === targetDomain || registeredDomain(host) === targetRoot) continue;
+      out.push({
+        host,
+        type: "script",
+        sri: !!(integrityMatch && integrityMatch[1].trim()),
+        loadedOverHttps: u.protocol === "https:",
+      });
+    } catch { /* relative URL or malformed */ }
+  }
+
+  // Non-script types: iframe / link / img — no SRI applies
+  const otherPatterns = [
     { type: "iframe", re: /<iframe\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
     { type: "link",   re: /<link\b[^>]*\bhref\s*=\s*["']([^"']+)["']/gi },
     { type: "img",    re: /<img\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
   ];
-  const targetRoot = registeredDomain(targetDomain);
-  for (const { type, re } of patterns) {
-    let m;
-    while ((m = re.exec(html)) !== null) {
+  for (const { type, re } of otherPatterns) {
+    let mm;
+    while ((mm = re.exec(html)) !== null) {
       try {
-        const u = new URL(m[1], `https://${targetDomain}`);
+        const u = new URL(mm[1], `https://${targetDomain}`);
         if (u.protocol !== "http:" && u.protocol !== "https:") continue;
         const host = u.hostname.toLowerCase();
         if (!host || host === targetDomain || registeredDomain(host) === targetRoot) continue;
-        out.push({ host, type });
+        out.push({ host, type, sri: false, loadedOverHttps: u.protocol === "https:" });
       } catch { /* relative URL or malformed */ }
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.7.7",
+  "version": "0.7.9",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",