securl 1.6.0 → 1.7.0

package/CHANGELOG.md

@@ -7,6 +7,8 @@ The format is based on Keep a Changelog and this package follows Semantic Versio
 ## [Unreleased]
 
 ### Added
+- Added `buildVendorExposureBrief()` for compact vendor and supply-chain exposure summaries covering visible third-party providers, data-flow categories, SRI gaps, priority vendors, and next actions.
+- Added `vendorExposure` to analysis results and the `securl/vendor-exposure` package export for SDK consumers.
 - Added `buildExposureBrief()` for compact outside-observer action briefs covering public entry points, sensitive exposures, trust gaps, abuse indicators, third-party risk, AI surface signals, and next actions.
 - Added `exposureBrief` to analysis results and the `securl/exposure-brief` package export for SDK consumers.
 

package/dist/index.d.ts

@@ -12,6 +12,7 @@ export declare const analyzeTarget: typeof analyzeUrl;
 export { formatErrorMessage };
 export { buildCompromiseSignals, emptyCompromiseSignals } from "./compromiseSignals.js";
 export { buildExposureBrief } from "./exposureBrief.js";
+export { buildVendorExposureBrief } from "./vendorExposure.js";
 export { analyzeInfrastructure } from "./infrastructure.js";
 export { buildHistoryDiff, buildHistoryDiffFromSnapshots, snapshotFromAnalysis } from "./historyDiff.js";
 export { assertPublicRequestTarget, isLocalHostname, isPrivateAddress, } from "./network-validation.js";

package/dist/index.js

@@ -2,6 +2,7 @@ import { URL } from "node:url";
 import { scanTls } from "./certificate.js";
 import { buildCompromiseSignals, emptyCompromiseSignals } from "./compromiseSignals.js";
 import { buildExposureBrief } from "./exposureBrief.js";
+import { buildVendorExposureBrief } from "./vendorExposure.js";
 import { parseSetCookie } from "./cookie-analysis.js";
 import { analyzeCookieHeaders } from "./cookieAnalysis.js";
 import { fetchCtDiscovery } from "./ctDiscovery.js";
@@ -510,6 +511,7 @@ async function buildLimitedResult(input, normalizedInput, failure, scanTiming) {
     return {
         ...resultWithRemediation,
         exposureBrief: buildExposureBrief(resultWithRemediation),
+        vendorExposure: buildVendorExposureBrief(resultWithRemediation),
     };
 }
 async function enrichCoreResult(result, profile) {
@@ -944,6 +946,7 @@ function buildTimedOutEnrichmentResult(result, pageAnalysisEnabled, timeoutMs, c
     return {
         ...resultWithRemediation,
         exposureBrief: buildExposureBrief(resultWithRemediation),
+        vendorExposure: buildVendorExposureBrief(resultWithRemediation),
     };
 }
 export async function analyzeUrl(input, options = {}) {
@@ -1017,12 +1020,14 @@ export async function analyzeUrl(input, options = {}) {
     return {
         ...resultWithRemediation,
         exposureBrief: buildExposureBrief(resultWithRemediation),
+        vendorExposure: buildVendorExposureBrief(resultWithRemediation),
     };
 }
 export const analyzeTarget = analyzeUrl;
 export { formatErrorMessage };
 export { buildCompromiseSignals, emptyCompromiseSignals } from "./compromiseSignals.js";
 export { buildExposureBrief } from "./exposureBrief.js";
+export { buildVendorExposureBrief } from "./vendorExposure.js";
 export { analyzeInfrastructure } from "./infrastructure.js";
 export { buildHistoryDiff, buildHistoryDiffFromSnapshots, snapshotFromAnalysis } from "./historyDiff.js";
 export { assertPublicRequestTarget, isLocalHostname, isPrivateAddress, } from "./network-validation.js";

package/dist/types.d.ts

@@ -190,6 +190,40 @@ export interface ExposureBrief {
     collectionBoundary: string;
     limitation: AssessmentLimitation | null;
 }
+export type VendorExposureRisk = "low" | "medium" | "high";
+export interface VendorExposureProvider {
+    name: string;
+    domain: string;
+    category: ThirdPartyProvider["category"];
+    risk: ThirdPartyProvider["risk"];
+    evidence: string;
+    reviewPriority: "routine" | "review" | "urgent";
+    dataFlow: "content_delivery" | "telemetry" | "user_interaction" | "payment" | "security" | "ai" | "unknown";
+    action: string;
+}
+export interface VendorExposureBrief {
+    generatedAt: string;
+    risk: VendorExposureRisk;
+    summary: string;
+    counts: {
+        totalProviders: number;
+        highRiskProviders: number;
+        mediumRiskProviders: number;
+        sessionReplayProviders: number;
+        analyticsProviders: number;
+        aiProviders: number;
+        paymentProviders: number;
+        supportProviders: number;
+        missingSriScripts: number;
+    };
+    providers: VendorExposureProvider[];
+    highPriorityProviders: VendorExposureProvider[];
+    issues: string[];
+    strengths: string[];
+    nextActions: string[];
+    collectionBoundary: string;
+    limitation: AssessmentLimitation | null;
+}
 export interface CrawlPageResult {
     label: string;
     path: string;
@@ -756,6 +790,7 @@ export interface AnalysisResult {
     remediationPlan?: RemediationPlan;
     evidenceSummary?: PostureEvidenceSummary;
     exposureBrief?: ExposureBrief;
+    vendorExposure?: VendorExposureBrief;
     crawl: CrawlSummary;
     securityTxt: SecurityTxtInfo;
     domainSecurity: DomainSecurityInfo;

package/dist/vendorExposure.d.ts

@@ -0,0 +1,2 @@
+import type { AnalysisResult, VendorExposureBrief } from "./types.js";
+export declare function buildVendorExposureBrief(analysis: AnalysisResult): VendorExposureBrief;

package/dist/vendorExposure.js

@@ -0,0 +1,151 @@
+const normalizeArray = (value) => (Array.isArray(value) ? value : []);
+function dataFlowForCategory(category) {
+    if (category === "analytics" || category === "ads" || category === "session_replay") {
+        return "telemetry";
+    }
+    if (category === "support" || category === "social" || category === "consent") {
+        return "user_interaction";
+    }
+    if (category === "payments") {
+        return "payment";
+    }
+    if (category === "security") {
+        return "security";
+    }
+    if (category === "ai") {
+        return "ai";
+    }
+    if (category === "cdn") {
+        return "content_delivery";
+    }
+    return "unknown";
+}
+function reviewPriority(provider) {
+    if (provider.risk === "high" || provider.category === "session_replay" || provider.category === "payments") {
+        return "urgent";
+    }
+    if (provider.risk === "medium" || provider.category === "ai" || provider.category === "ads") {
+        return "review";
+    }
+    return "routine";
+}
+function actionForProvider(provider) {
+    if (provider.category === "session_replay") {
+        return "Confirm session replay masking, consent coverage, retention, and vendor ownership.";
+    }
+    if (provider.category === "payments") {
+        return "Confirm payment provider ownership, PCI scope, and expected public loading paths.";
+    }
+    if (provider.category === "ai") {
+        return "Confirm AI vendor disclosure, data-handling boundaries, and escalation ownership.";
+    }
+    if (provider.risk === "high") {
+        return "Confirm the provider is intentional, documented, and covered by security and privacy review.";
+    }
+    if (provider.risk === "medium") {
+        return "Review whether the provider is still needed and document the data-flow owner.";
+    }
+    return "Keep the provider in the vendor inventory and monitor for drift.";
+}
+function rankProvider(provider) {
+    const priorityWeight = { urgent: 0, review: 1, routine: 2 }[provider.reviewPriority];
+    const riskWeight = { high: 0, medium: 1, low: 2 }[provider.risk];
+    return priorityWeight * 10 + riskWeight;
+}
+function summarizeRisk(risk, counts) {
+    if (counts.totalProviders === 0) {
+        return "No obvious third-party script or stylesheet providers were observed on the fetched page.";
+    }
+    if (risk === "high") {
+        return "The fetched page exposes high-priority third-party dependencies that deserve explicit ownership and review.";
+    }
+    if (risk === "medium") {
+        return "The fetched page has a visible vendor footprint with review-worthy data-flow or integrity considerations.";
+    }
+    return "The fetched page uses third-party providers, but the visible footprint is mostly lower-risk delivery or operational tooling.";
+}
+function deriveRisk(counts, issues) {
+    if (counts.highRiskProviders > 0 ||
+        counts.sessionReplayProviders > 0 ||
+        counts.missingSriScripts >= 3 ||
+        issues.some((issue) => /session replay|high-trust|high-observability/i.test(issue))) {
+        return "high";
+    }
+    if (counts.mediumRiskProviders > 0 || counts.aiProviders > 0 || counts.paymentProviders > 0 || counts.missingSriScripts > 0 || issues.length > 0) {
+        return "medium";
+    }
+    return "low";
+}
+function pushUnique(values, value) {
+    if (!value) {
+        return;
+    }
+    const trimmed = value.trim();
+    if (!trimmed || values.includes(trimmed)) {
+        return;
+    }
+    values.push(trimmed);
+}
+export function buildVendorExposureBrief(analysis) {
+    const sourceProviders = normalizeArray(analysis.thirdPartyTrust?.providers);
+    const providers = sourceProviders
+        .map((provider) => ({
+        name: provider.name,
+        domain: provider.domain,
+        category: provider.category,
+        risk: provider.risk,
+        evidence: provider.evidence,
+        reviewPriority: reviewPriority(provider),
+        dataFlow: dataFlowForCategory(provider.category),
+        action: actionForProvider(provider),
+    }))
+        .sort((left, right) => {
+        const rankDelta = rankProvider(left) - rankProvider(right);
+        if (rankDelta !== 0) {
+            return rankDelta;
+        }
+        return left.name.localeCompare(right.name);
+    });
+    const missingSriScripts = normalizeArray(analysis.htmlSecurity?.missingSriScriptUrls).length;
+    const issues = normalizeArray(analysis.thirdPartyTrust?.issues);
+    const strengths = normalizeArray(analysis.thirdPartyTrust?.strengths);
+    const counts = {
+        totalProviders: analysis.thirdPartyTrust?.totalProviders ?? providers.length,
+        highRiskProviders: analysis.thirdPartyTrust?.highRiskProviders ?? providers.filter((provider) => provider.risk === "high").length,
+        mediumRiskProviders: providers.filter((provider) => provider.risk === "medium").length,
+        sessionReplayProviders: providers.filter((provider) => provider.category === "session_replay").length,
+        analyticsProviders: providers.filter((provider) => provider.category === "analytics" || provider.category === "ads").length,
+        aiProviders: providers.filter((provider) => provider.category === "ai").length + normalizeArray(analysis.aiSurface?.vendors).length,
+        paymentProviders: providers.filter((provider) => provider.category === "payments").length,
+        supportProviders: providers.filter((provider) => provider.category === "support").length,
+        missingSriScripts,
+    };
+    const risk = deriveRisk(counts, issues);
+    const highPriorityProviders = providers.filter((provider) => provider.reviewPriority !== "routine").slice(0, 10);
+    const nextActions = [];
+    for (const provider of highPriorityProviders) {
+        pushUnique(nextActions, provider.action);
+    }
+    if (missingSriScripts > 0) {
+        pushUnique(nextActions, "Add Subresource Integrity for third-party scripts that can be pinned safely, or document why they cannot be pinned.");
+    }
+    if (counts.totalProviders > 0) {
+        pushUnique(nextActions, "Keep a lightweight vendor inventory covering owner, purpose, data handled, and removal criteria.");
+    }
+    if (nextActions.length === 0) {
+        pushUnique(nextActions, "Keep monitoring vendor drift after frontend, analytics, support, payment, or AI changes.");
+    }
+    return {
+        generatedAt: new Date().toISOString(),
+        risk,
+        summary: summarizeRisk(risk, counts),
+        counts,
+        providers,
+        highPriorityProviders,
+        issues,
+        strengths,
+        nextActions: nextActions.slice(0, 6),
+        collectionBoundary: "Passive public page evidence only. Vendor signals are inferred from fetched HTML, scripts, stylesheets, and visible AI/provider markers.",
+        limitation: analysis.assessmentLimitation?.limited ? analysis.assessmentLimitation : null,
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securl",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "type": "module",
   "description": "Passive external security posture scanner for public URLs and web services.",
   "author": {
@@ -69,6 +69,10 @@
     "./exposure-brief": {
       "types": "./dist/exposureBrief.d.ts",
       "default": "./dist/exposureBrief.js"
+    },
+    "./vendor-exposure": {
+      "types": "./dist/vendorExposure.d.ts",
+      "default": "./dist/vendorExposure.js"
     }
   },
   "files": [