supply-chain-guard 1.0.0

package/dist/patterns.js

@@ -0,0 +1,222 @@
+"use strict";
+/**
+ * Known malicious patterns database
+ *
+ * This file is designed to be regularly updated as new threats emerge.
+ * Add new patterns, wallet addresses, or domain patterns as they are discovered.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MAX_FILE_SIZE = exports.SCANNABLE_EXTENSIONS = exports.MALICIOUS_PACKAGE_PATTERNS = exports.SUSPICIOUS_SCRIPTS = exports.SUSPICIOUS_FILES = exports.FILE_PATTERNS = exports.C2_DOMAIN_PATTERNS = exports.KNOWN_C2_WALLETS = exports.GLASSWORM_MARKERS = void 0;
+// ---------------------------------------------------------------------------
+// GlassWorm-specific IOCs
+// ---------------------------------------------------------------------------
+/** Known GlassWorm marker variables */
+exports.GLASSWORM_MARKERS = ["lzcdrtfxyqiplpd"];
+/** Known GlassWorm Solana wallet addresses used for C2 */
+exports.KNOWN_C2_WALLETS = [
+// Add confirmed wallet addresses here as they are discovered
+// Example: "2fTGKciRBTwLpcMVMPGwWEqGkRrG7MkR1FoKGhCPNw2S"
+];
+/** Known C2 domain patterns (regex strings) */
+exports.C2_DOMAIN_PATTERNS = [
+    // Domains seen in GlassWorm payloads
+    "connect\\.\\w+\\.workers\\.dev",
+    "\\w+-api\\.\\w+\\.workers\\.dev",
+];
+// ---------------------------------------------------------------------------
+// File-based detection patterns
+// ---------------------------------------------------------------------------
+exports.FILE_PATTERNS = [
+    // GlassWorm marker
+    {
+        name: "glassworm-marker",
+        pattern: "lzcdrtfxyqiplpd",
+        description: "GlassWorm campaign marker variable detected",
+        severity: "critical",
+        rule: "GLASSWORM_MARKER",
+    },
+    // Invisible Unicode characters (zero-width spaces, joiners, etc.)
+    {
+        name: "invisible-unicode",
+        pattern: "[\\u200B\\u200C\\u200D\\u2060\\uFEFF\\u00AD\\u034F\\u061C\\u180E\\u2028\\u2029\\u202A-\\u202E\\u2066-\\u2069]{3,}",
+        description: "Suspicious invisible Unicode characters detected (potential code obfuscation)",
+        severity: "high",
+        rule: "INVISIBLE_UNICODE",
+    },
+    // Encoded eval/exec patterns
+    {
+        name: "eval-atob",
+        pattern: "eval\\s*\\(\\s*atob\\s*\\(",
+        description: "Base64-encoded eval detected (common malware obfuscation)",
+        severity: "critical",
+        rule: "EVAL_ATOB",
+    },
+    {
+        name: "eval-buffer-from",
+        pattern: "eval\\s*\\(\\s*Buffer\\.from\\s*\\(",
+        description: "Buffer-encoded eval detected (common malware obfuscation in Node.js)",
+        severity: "critical",
+        rule: "EVAL_BUFFER",
+    },
+    {
+        name: "new-function-atob",
+        pattern: "new\\s+Function\\s*\\(\\s*atob\\s*\\(",
+        description: "Base64-encoded Function constructor detected (malware obfuscation)",
+        severity: "critical",
+        rule: "FUNCTION_ATOB",
+    },
+    {
+        name: "eval-buffer-hex",
+        pattern: "eval\\s*\\(\\s*Buffer\\.from\\s*\\([^)]+,\\s*['\"]hex['\"]\\s*\\)",
+        description: "Hex-encoded eval detected",
+        severity: "critical",
+        rule: "EVAL_HEX",
+    },
+    {
+        name: "exec-encoded",
+        pattern: "exec\\s*\\(\\s*(?:atob|Buffer\\.from|decodeURIComponent)\\s*\\(",
+        description: "Encoded exec call detected",
+        severity: "high",
+        rule: "EXEC_ENCODED",
+    },
+    // Solana C2 references
+    {
+        name: "solana-mainnet",
+        pattern: "mainnet-beta\\.solana\\.com",
+        description: "Solana mainnet RPC reference detected (potential C2 channel)",
+        severity: "medium",
+        rule: "SOLANA_MAINNET",
+    },
+    {
+        name: "helius-rpc",
+        pattern: "helius(?:-rpc)?\\.(?:com|dev)",
+        description: "Helius Solana RPC reference detected (used in GlassWorm C2)",
+        severity: "medium",
+        rule: "HELIUS_RPC",
+    },
+    // Obfuscation patterns
+    {
+        name: "hex-string-array",
+        pattern: "\\[\\s*(?:0x[0-9a-fA-F]+\\s*,\\s*){10,}",
+        description: "Large hex array detected (potential obfuscated payload)",
+        severity: "medium",
+        rule: "HEX_ARRAY",
+    },
+    {
+        name: "string-char-concat",
+        pattern: "(?:String\\.fromCharCode|\\\\x[0-9a-fA-F]{2}){5,}",
+        description: "Character code string construction detected (obfuscation technique)",
+        severity: "medium",
+        rule: "CHARCODE_OBFUSCATION",
+    },
+    // Network exfiltration
+    {
+        name: "env-exfil",
+        pattern: "process\\.env\\b[^;]*(?:fetch|https?\\.(?:get|request)|axios|got|node-fetch)",
+        description: "Environment variable access combined with network request (data exfiltration pattern)",
+        severity: "high",
+        rule: "ENV_EXFILTRATION",
+    },
+    {
+        name: "dns-exfil",
+        pattern: "dns\\.resolve.*process\\.env",
+        description: "DNS-based data exfiltration pattern detected",
+        severity: "high",
+        rule: "DNS_EXFILTRATION",
+    },
+];
+// ---------------------------------------------------------------------------
+// Suspicious file names
+// ---------------------------------------------------------------------------
+/** Files that are suspicious by name alone */
+exports.SUSPICIOUS_FILES = [
+    {
+        pattern: "^i\\.js$",
+        description: "Suspicious i.js file (commonly used as GlassWorm payload dropper)",
+        severity: "high",
+        rule: "SUSPICIOUS_I_JS",
+    },
+    {
+        pattern: "^init\\.json$",
+        description: "init.json persistence file (used by GlassWorm for configuration persistence)",
+        severity: "high",
+        rule: "SUSPICIOUS_INIT_JSON",
+    },
+];
+// ---------------------------------------------------------------------------
+// Suspicious npm scripts
+// ---------------------------------------------------------------------------
+/** Package.json script patterns that are suspicious */
+exports.SUSPICIOUS_SCRIPTS = [
+    {
+        name: "postinstall-curl",
+        pattern: "curl\\s+.*\\|\\s*(?:bash|sh|node)",
+        description: "postinstall script downloads and executes remote code",
+        severity: "critical",
+        rule: "SCRIPT_CURL_EXEC",
+    },
+    {
+        name: "postinstall-wget",
+        pattern: "wget\\s+.*\\|\\s*(?:bash|sh|node)",
+        description: "postinstall script downloads and executes remote code",
+        severity: "critical",
+        rule: "SCRIPT_WGET_EXEC",
+    },
+    {
+        name: "postinstall-node-e",
+        pattern: "node\\s+-e\\s+[\"'].*(?:http|https|fetch|require)",
+        description: "postinstall script executes inline Node.js with network access",
+        severity: "high",
+        rule: "SCRIPT_NODE_INLINE",
+    },
+    {
+        name: "postinstall-encoded",
+        pattern: "(?:atob|Buffer\\.from|base64)",
+        description: "postinstall script contains encoding/decoding operations",
+        severity: "high",
+        rule: "SCRIPT_ENCODED",
+    },
+    {
+        name: "preinstall-exec",
+        pattern: "(?:exec|spawn|execSync)\\s*\\(",
+        description: "preinstall script executes system commands",
+        severity: "medium",
+        rule: "SCRIPT_PREINSTALL_EXEC",
+    },
+];
+// ---------------------------------------------------------------------------
+// Known malicious npm package name patterns
+// ---------------------------------------------------------------------------
+/** Patterns matching known malicious or typosquatting package names */
+exports.MALICIOUS_PACKAGE_PATTERNS = [
+    // Typosquatting common packages
+    "^(lodas|1odash|l0dash|lodash-es-utils)$",
+    "^(cros-env|cross-env-shell|crossenv)$",
+    "^(bable-cli|babelcli)$",
+    "^(event-streem|event_stream)$",
+    // GlassWorm campaign packages (pattern: random-looking names)
+    "^[a-z]{15,}$", // Very long single-word lowercase names
+    // Suspicious scoped packages mimicking official ones
+    "^@(?!types|babel|eslint|jest|rollup|vitejs|vue|angular|react|next|nuxt|svelte|reduxjs|tanstack|trpc).*\\/.*$",
+];
+// ---------------------------------------------------------------------------
+// File extensions to scan
+// ---------------------------------------------------------------------------
+exports.SCANNABLE_EXTENSIONS = new Set([
+    ".js",
+    ".ts",
+    ".jsx",
+    ".tsx",
+    ".mjs",
+    ".cjs",
+    ".py",
+    ".sh",
+    ".bash",
+    ".json",
+    ".yml",
+    ".yaml",
+    ".toml",
+]);
+/** Maximum file size to scan (in bytes). Files larger than this are skipped. */
+exports.MAX_FILE_SIZE = 5 * 1024 * 1024; // 5 MB
+//# sourceMappingURL=patterns.js.map

package/dist/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../src/patterns.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAIH,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,uCAAuC;AAC1B,QAAA,iBAAiB,GAAG,CAAC,iBAAiB,CAAC,CAAC;AAErD,0DAA0D;AAC7C,QAAA,gBAAgB,GAAa;AACxC,6DAA6D;AAC7D,0DAA0D;CAC3D,CAAC;AAEF,+CAA+C;AAClC,QAAA,kBAAkB,GAAa;IAC1C,qCAAqC;IACrC,gCAAgC;IAChC,iCAAiC;CAClC,CAAC;AAEF,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAEjE,QAAA,aAAa,GAAmB;IAC3C,mBAAmB;IACnB;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,iBAAiB;QAC1B,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,kBAAkB;KACzB;IAED,kEAAkE;IAClE;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EACL,mHAAmH;QACrH,WAAW,EACT,+EAA+E;QACjF,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,mBAAmB;KAC1B;IAED,6BAA6B;IAC7B;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,4BAA4B;QACrC,WAAW,EAAE,2DAA2D;QACxE,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,WAAW;KAClB;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,qCAAqC;QAC9C,WAAW,EACT,sEAAsE;QACxE,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,aAAa;KACpB;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uCAAuC;QAChD,WAAW,EACT,oEAAoE;QACtE,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,eAAe;KACtB;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,mEAAmE;QAC5E,WAAW,EAAE,2BAA2B;QACxC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,UAAU;KACjB;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EACL,iEAAiE;QACnE,WAAW,EAAE,4BAA4B;QACzC,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,cAAc;KACrB;IAED,uBAAuB;IACvB;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,6BAA6B;QACtC,WAAW,EAAE,8DAA8D;QAC3E,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,gBAAgB;KACvB;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,+BAA+B;QACxC,WAAW,EACT,6DAA6D;QAC/D,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,YAAY;KACnB;IAED,uBAAuB;IACvB;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EACL,yCAAyC;QAC3C,WAAW,EAAE,yDAAyD;QACtE,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,WAAW;KAClB;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EACL,mDAAmD;QACrD,WAAW,EACT,qEAAqE;QACvE,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,sBAAsB;KAC7B;IAED,uBAAuB;IACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EACL,8EAA8E;QAChF,WAAW,EACT,uFAAuF;QACzF,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,kBAAkB;KACzB;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,8BAA8B;QACvC,WAAW,EAAE,8CAA8C;QAC3D,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,kBAAkB;KACzB;CACF,CAAC;AAEF,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E,8CAA8C;AACjC,QAAA,gBAAgB,GAKxB;IACH;QACE,OAAO,EAAE,UAAU;QACnB,WAAW,EACT,mEAAmE;QACrE,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,iBAAiB;KACxB;IACD;QACE,OAAO,EAAE,eAAe;QACxB,WAAW,EACT,8EAA8E;QAChF,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,sBAAsB;KAC7B;CACF,CAAC;AAEF,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,uDAAuD;AAC1C,QAAA,kBAAkB,GAAmB;IAChD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,mCAAmC;QAC5C,WAAW,EAAE,uDAAuD;QACpE,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,kBAAkB;KACzB;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,mCAAmC;QAC5C,WAAW,EAAE,uDAAuD;QACpE,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,kBAAkB;KACzB;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,mDAAmD;QAC5D,WAAW,EACT,gEAAgE;QAClE,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,oBAAoB;KAC3B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,+BAA+B;QACxC,WAAW,EAAE,0DAA0D;QACvE,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,gBAAgB;KACvB;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,gCAAgC;QACzC,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,wBAAwB;KAC/B;CACF,CAAC;AAEF,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E,uEAAuE;AAC1D,QAAA,0BAA0B,GAAa;IAClD,gCAAgC;IAChC,yCAAyC;IACzC,uCAAuC;IACvC,wBAAwB;IACxB,+BAA+B;IAE/B,8DAA8D;IAC9D,cAAc,EAAE,wCAAwC;IAExD,qDAAqD;IACrD,8GAA8G;CAC/G,CAAC;AAEF,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAEjE,QAAA,oBAAoB,GAAG,IAAI,GAAG,CAAC;IAC1C,KAAK;IACL,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,KAAK;IACL,KAAK;IACL,OAAO;IACP,OAAO;IACP,MAAM;IACN,OAAO;IACP,OAAO;CACR,CAAC,CAAC;AAEH,gFAAgF;AACnE,QAAA,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO"}

package/dist/reporter.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Output formatting for scan reports.
+ * Supports text, JSON, and markdown output.
+ */
+import type { ScanReport } from "./types.js";
+/**
+ * Format a scan report for output.
+ */
+export declare function formatReport(report: ScanReport, format: "text" | "json" | "markdown"): string;
+//# sourceMappingURL=reporter.d.ts.map

package/dist/reporter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.d.ts","sourceRoot":"","sources":["../src/reporter.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAW,UAAU,EAAY,MAAM,YAAY,CAAC;AAqBhE;;GAEG;AACH,wBAAgB,YAAY,CAC1B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,UAAU,GACnC,MAAM,CAUR"}

package/dist/reporter.js

@@ -0,0 +1,224 @@
+"use strict";
+/**
+ * Output formatting for scan reports.
+ * Supports text, JSON, and markdown output.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatReport = formatReport;
+const SEVERITY_COLORS = {
+    critical: "\x1b[91m", // bright red
+    high: "\x1b[31m", // red
+    medium: "\x1b[33m", // yellow
+    low: "\x1b[36m", // cyan
+    info: "\x1b[37m", // white
+};
+const RESET = "\x1b[0m";
+const BOLD = "\x1b[1m";
+const DIM = "\x1b[2m";
+const SEVERITY_ICONS = {
+    critical: "🔴",
+    high: "🟠",
+    medium: "🟡",
+    low: "🔵",
+    info: "⚪",
+};
+/**
+ * Format a scan report for output.
+ */
+function formatReport(report, format) {
+    switch (format) {
+        case "json":
+            return formatJson(report);
+        case "markdown":
+            return formatMarkdown(report);
+        case "text":
+        default:
+            return formatText(report);
+    }
+}
+/**
+ * Format as JSON.
+ */
+function formatJson(report) {
+    return JSON.stringify(report, null, 2);
+}
+/**
+ * Format as human-readable text with colors.
+ */
+function formatText(report) {
+    const lines = [];
+    // Header
+    lines.push("");
+    lines.push(`${BOLD}  supply-chain-guard${RESET} scan report`);
+    lines.push(`${DIM}  ${"─".repeat(50)}${RESET}`);
+    lines.push(`  Target:    ${report.target}`);
+    lines.push(`  Type:      ${report.scanType}`);
+    lines.push(`  Time:      ${report.timestamp}`);
+    lines.push(`  Duration:  ${report.durationMs}ms`);
+    lines.push("");
+    // Score
+    const scoreColor = report.score === 0
+        ? "\x1b[32m"
+        : report.score <= 10
+            ? "\x1b[36m"
+            : report.score <= 30
+                ? "\x1b[33m"
+                : report.score <= 60
+                    ? "\x1b[31m"
+                    : "\x1b[91m";
+    lines.push(`  Risk Score: ${scoreColor}${BOLD}${report.score}/100${RESET} (${report.riskLevel.toUpperCase()})`);
+    lines.push("");
+    // Summary
+    lines.push(`${BOLD}  Summary${RESET}`);
+    lines.push(`${DIM}  ${"─".repeat(50)}${RESET}`);
+    if (report.scanType === "directory" || report.scanType === "github") {
+        lines.push(`  Files:     ${report.summary.filesScanned}/${report.summary.totalFiles} scanned`);
+    }
+    const counts = [
+        report.summary.critical > 0
+            ? `${SEVERITY_COLORS.critical}${report.summary.critical} critical${RESET}`
+            : null,
+        report.summary.high > 0
+            ? `${SEVERITY_COLORS.high}${report.summary.high} high${RESET}`
+            : null,
+        report.summary.medium > 0
+            ? `${SEVERITY_COLORS.medium}${report.summary.medium} medium${RESET}`
+            : null,
+        report.summary.low > 0
+            ? `${SEVERITY_COLORS.low}${report.summary.low} low${RESET}`
+            : null,
+        report.summary.info > 0
+            ? `${SEVERITY_COLORS.info}${report.summary.info} info${RESET}`
+            : null,
+    ].filter(Boolean);
+    if (counts.length > 0) {
+        lines.push(`  Findings:  ${counts.join(", ")}`);
+    }
+    else {
+        lines.push(`  Findings:  \x1b[32mNone${RESET}`);
+    }
+    lines.push("");
+    // Findings
+    if (report.findings.length > 0) {
+        lines.push(`${BOLD}  Findings${RESET}`);
+        lines.push(`${DIM}  ${"─".repeat(50)}${RESET}`);
+        // Sort by severity (critical first)
+        const sorted = [...report.findings].sort((a, b) => severityRank(b.severity) - severityRank(a.severity));
+        for (const finding of sorted) {
+            lines.push("");
+            lines.push(`  ${SEVERITY_ICONS[finding.severity]} ${SEVERITY_COLORS[finding.severity]}${BOLD}[${finding.severity.toUpperCase()}]${RESET} ${finding.description}`);
+            lines.push(`     Rule: ${finding.rule}`);
+            if (finding.file) {
+                const location = finding.line
+                    ? `${finding.file}:${finding.line}`
+                    : finding.file;
+                lines.push(`     File: ${location}`);
+            }
+            if (finding.match) {
+                lines.push(`     Match: ${DIM}${finding.match}${RESET}`);
+            }
+            lines.push(`     Fix: ${finding.recommendation}`);
+        }
+        lines.push("");
+    }
+    // Recommendations
+    if (report.recommendations.length > 0) {
+        lines.push(`${BOLD}  Recommendations${RESET}`);
+        lines.push(`${DIM}  ${"─".repeat(50)}${RESET}`);
+        for (const rec of report.recommendations) {
+            lines.push(`  • ${rec}`);
+        }
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+/**
+ * Format as markdown (for PR comments, GitHub Actions).
+ */
+function formatMarkdown(report) {
+    const lines = [];
+    // Header
+    lines.push("## 🛡️ supply-chain-guard Scan Report");
+    lines.push("");
+    lines.push(`| Property | Value |`);
+    lines.push(`|----------|-------|`);
+    lines.push(`| Target | \`${report.target}\` |`);
+    lines.push(`| Type | ${report.scanType} |`);
+    lines.push(`| Time | ${report.timestamp} |`);
+    lines.push(`| Duration | ${report.durationMs}ms |`);
+    lines.push(`| **Risk Score** | **${report.score}/100** (${report.riskLevel.toUpperCase()}) |`);
+    lines.push("");
+    // Summary
+    lines.push("### Summary");
+    lines.push("");
+    if (report.scanType === "directory" || report.scanType === "github") {
+        lines.push(`Scanned ${report.summary.filesScanned} of ${report.summary.totalFiles} files.`);
+        lines.push("");
+    }
+    if (report.findings.length === 0) {
+        lines.push("> ✅ No malicious indicators detected.");
+        lines.push("");
+    }
+    else {
+        const badges = [];
+        if (report.summary.critical > 0)
+            badges.push(`🔴 ${report.summary.critical} critical`);
+        if (report.summary.high > 0)
+            badges.push(`🟠 ${report.summary.high} high`);
+        if (report.summary.medium > 0)
+            badges.push(`🟡 ${report.summary.medium} medium`);
+        if (report.summary.low > 0)
+            badges.push(`🔵 ${report.summary.low} low`);
+        if (report.summary.info > 0)
+            badges.push(`⚪ ${report.summary.info} info`);
+        lines.push(badges.join(" | "));
+        lines.push("");
+    }
+    // Findings
+    if (report.findings.length > 0) {
+        lines.push("### Findings");
+        lines.push("");
+        const sorted = [...report.findings].sort((a, b) => severityRank(b.severity) - severityRank(a.severity));
+        for (const finding of sorted) {
+            lines.push(`#### ${SEVERITY_ICONS[finding.severity]} [${finding.severity.toUpperCase()}] ${finding.description}`);
+            lines.push("");
+            lines.push(`- **Rule:** \`${finding.rule}\``);
+            if (finding.file) {
+                const location = finding.line
+                    ? `${finding.file}:${finding.line}`
+                    : finding.file;
+                lines.push(`- **File:** \`${location}\``);
+            }
+            if (finding.match) {
+                lines.push(`- **Match:** \`${finding.match}\``);
+            }
+            lines.push(`- **Recommendation:** ${finding.recommendation}`);
+            lines.push("");
+        }
+    }
+    // Recommendations
+    if (report.recommendations.length > 0) {
+        lines.push("### Recommendations");
+        lines.push("");
+        for (const rec of report.recommendations) {
+            lines.push(`- ${rec}`);
+        }
+        lines.push("");
+    }
+    lines.push(`---\n*Generated by [supply-chain-guard](https://github.com/homeofe/supply-chain-guard)*`);
+    return lines.join("\n");
+}
+/**
+ * Get numeric rank for severity sorting.
+ */
+function severityRank(severity) {
+    const ranks = {
+        critical: 4,
+        high: 3,
+        medium: 2,
+        low: 1,
+        info: 0,
+    };
+    return ranks[severity];
+}
+//# sourceMappingURL=reporter.js.map

package/dist/reporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.js","sourceRoot":"","sources":["../src/reporter.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA0BH,oCAaC;AAnCD,MAAM,eAAe,GAA6B;IAChD,QAAQ,EAAE,UAAU,EAAE,aAAa;IACnC,IAAI,EAAE,UAAU,EAAM,MAAM;IAC5B,MAAM,EAAE,UAAU,EAAI,SAAS;IAC/B,GAAG,EAAE,UAAU,EAAO,OAAO;IAC7B,IAAI,EAAE,UAAU,EAAM,QAAQ;CAC/B,CAAC;AACF,MAAM,KAAK,GAAG,SAAS,CAAC;AACxB,MAAM,IAAI,GAAG,SAAS,CAAC;AACvB,MAAM,GAAG,GAAG,SAAS,CAAC;AAEtB,MAAM,cAAc,GAA6B;IAC/C,QAAQ,EAAE,IAAI;IACd,IAAI,EAAE,IAAI;IACV,MAAM,EAAE,IAAI;IACZ,GAAG,EAAE,IAAI;IACT,IAAI,EAAE,GAAG;CACV,CAAC;AAEF;;GAEG;AACH,SAAgB,YAAY,CAC1B,MAAkB,EAClB,MAAoC;IAEpC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC;QAC5B,KAAK,UAAU;YACb,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;QAChC,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,MAAkB;IACpC,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,MAAkB;IACpC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,SAAS;IACT,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,uBAAuB,KAAK,cAAc,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC;IAChD,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5C,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9C,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;IAClD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,QAAQ;IACR,MAAM,UAAU,GACd,MAAM,CAAC,KAAK,KAAK,CAAC;QAChB,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;YAClB,CAAC,CAAC,UAAU;YACZ,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;gBAClB,CAAC,CAAC,UAAU;gBACZ,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;oBAClB,CAAC,CAAC,UAAU;oBACZ,CAAC,CAAC,UAAU,CAAC;IAEvB,KAAK,CAAC,IAAI,CACR,iBAAiB,UAAU,GAAG,IAAI,GAAG,MAAM,CAAC,KAAK,OAAO,KAAK,KAAK,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,GAAG,CACpG,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,UAAU;IACV,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,YAAY,KAAK,EAAE,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC;IAEhD,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACpE,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,OAAO,CAAC,YAAY,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,UAAU,CAAC,CAAC;IACjG,CAAC;IAED,MAAM,MAAM,GAAG;QACb,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC;YACzB,CAAC,CAAC,GAAG,eAAe,CAAC,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,YAAY,KAAK,EAAE;YAC1E,CAAC,CAAC,IAAI;QACR,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;YACrB,CAAC,CAAC,GAAG,eAAe,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,QAAQ,KAAK,EAAE;YAC9D,CAAC,CAAC,IAAI;QACR,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;YACvB,CAAC,CAAC,GAAG,eAAe,CAAC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU,KAAK,EAAE;YACpE,CAAC,CAAC,IAAI;QACR,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC;YACpB,CAAC,CAAC,GAAG,eAAe,CAAC,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,OAAO,KAAK,EAAE;YAC3D,CAAC,CAAC,IAAI;QACR,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;YACrB,CAAC,CAAC,GAAG,eAAe,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,QAAQ,KAAK,EAAE;YAC9D,CAAC,CAAC,IAAI;KACT,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAElB,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClD,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;IAClD,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,WAAW;IACX,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,aAAa,KAAK,EAAE,CAAC,CAAC;QACxC,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC;QAEhD,oCAAoC;QACpC,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CACtC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAC9D,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,MAAM,EAAE,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CACR,KAAK,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,IAAI,KAAK,IAAI,OAAO,CAAC,WAAW,EAAE,CACtJ,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,cAAc,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YACzC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI;oBAC3B,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE;oBACnC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjB,KAAK,CAAC,IAAI,CAAC,cAAc,QAAQ,EAAE,CAAC,CAAC;YACvC,CAAC;YACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,KAAK,CAAC,IAAI,CAAC,eAAe,GAAG,GAAG,OAAO,CAAC,KAAK,GAAG,KAAK,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,aAAa,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;QACpD,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,kBAAkB;IAClB,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,oBAAoB,KAAK,EAAE,CAAC,CAAC;QAC/C,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC;QAChD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YACzC,KAAK,CAAC,IAAI,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;QAC3B,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,MAAkB;IACxC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,SAAS;IACT,KAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACpD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,MAAM,MAAM,CAAC,CAAC;IAChD,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;IAC5C,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,SAAS,IAAI,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,UAAU,MAAM,CAAC,CAAC;IACpD,KAAK,CAAC,IAAI,CACR,wBAAwB,MAAM,CAAC,KAAK,WAAW,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,CACnF,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,UAAU;IACV,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACpE,KAAK,CAAC,IAAI,CACR,WAAW,MAAM,CAAC,OAAO,CAAC,YAAY,OAAO,MAAM,CAAC,OAAO,CAAC,UAAU,SAAS,CAChF,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;QACpD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,QAAQ,WAAW,CAAC,CAAC;QACxD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,CAAC;QAC3E,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,SAAS,CAAC,CAAC;QACpD,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;QACxE,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,CAAC;QAC1E,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,WAAW;IACX,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CACtC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAC9D,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,MAAM,EAAE,CAAC;YAC7B,KAAK,CAAC,IAAI,CACR,QAAQ,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,WAAW,EAAE,CACtG,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;YAC9C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI;oBAC3B,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE;oBACnC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjB,KAAK,CAAC,IAAI,CAAC,iBAAiB,QAAQ,IAAI,CAAC,CAAC;YAC5C,CAAC;YACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,KAAK,CAAC,IAAI,CAAC,kBAAkB,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;YAClD,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,yBAAyB,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;YAC9D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAClC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YACzC,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;QACzB,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,IAAI,CACR,yFAAyF,CAC1F,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,QAAkB;IACtC,MAAM,KAAK,GAA6B;QACtC,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;QACN,IAAI,EAAE,CAAC;KACR,CAAC;IACF,OAAO,KAAK,CAAC,QAAQ,CAAC,CAAC;AACzB,CAAC"}

package/dist/scanner.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Core file scanner
+ *
+ * Scans local directories and GitHub repos for supply-chain malware indicators.
+ */
+import type { ScanOptions, ScanReport } from "./types.js";
+/**
+ * Scan a local directory or GitHub repo for malware indicators.
+ */
+export declare function scan(options: ScanOptions): Promise<ScanReport>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAW,WAAW,EAAE,UAAU,EAAe,MAAM,YAAY,CAAC;AAYhF;;GAEG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAoGpE"}