supply-chain-guard 5.2.22 → 5.2.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +18 -0
  2. package/dist/cli.js +1 -1
  3. package/dist/reporter.js +4 -4
  4. package/dist/workflow-modeler.d.ts.map +1 -1
  5. package/dist/workflow-modeler.js +8 -2
  6. package/dist/workflow-modeler.js.map +1 -1
  7. package/package.json +1 -1
package/README.md CHANGED
@@ -342,6 +342,24 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contri
342
342
 
343
343
  ## Changelog
344
344
 
345
+ ### v5.2.23 (2026-05-24)
346
+ **Fix `WORKFLOW_UNTRUSTED_ACTION_IN_RELEASE_PATH` false positive on `npm@latest`**
347
+
348
+ The unpinned-action detector in `workflow-modeler.ts` was firing on any `@latest` / `@main` / `@master` / `@dev` substring anywhere in a workflow file - including the `npm install -g npm@latest` step that v5.2.20 introduced as part of the OIDC trusted-publishing setup. That's a Node toolchain install, not a GitHub Action reference.
349
+
350
+ The regex is now scoped to actual `uses: <action>@<branch>` declarations using a line-anchored, case-insensitive multiline match:
351
+
352
+ ```ts
353
+ /^\s*-?\s*uses:\s+\S+@(?:main|master|latest|dev)\b/im
354
+ ```
355
+
356
+ 4 new tests in `bugfix-v5_2_23.test.ts` verify:
357
+ - `npm install -g npm@latest` no longer triggers
358
+ - Real `uses: actions/checkout@main` / `@master` / `@latest` / `@dev` still triggers
359
+ - Commit-SHA pinning (the v5.2.22 fix) stays clean
360
+
361
+ Expected impact on the self-scan: the last false-positive CRITICAL is gone. Remaining 2 mediums (`GHA_OIDC_WRITE_PERM` for Trusted Publishing, `WORKFLOW_SECRET_TO_UPLOAD_PATH` for `secrets.GITHUB_TOKEN` access in the GitHub Release step) are honest by-design tradeoffs.
362
+
345
363
  ### v5.2.22 (2026-05-24)
346
364
  **Self-scan polish: comment-aware GHA scan, pinned actions, fix changelog self-trigger**
347
365
 
package/dist/cli.js CHANGED
@@ -20,7 +20,7 @@ const program = new commander_1.Command();
20
20
  program
21
21
  .name("supply-chain-guard")
22
22
  .description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
23
- .version("5.2.22");
23
+ .version("5.2.23");
24
24
  // ── scan command ────────────────────────────────────────────────────
25
25
  program
26
26
  .command("scan")
package/dist/reporter.js CHANGED
@@ -55,7 +55,7 @@ function formatJson(report) {
55
55
  function formatText(report) {
56
56
  const lines = [];
57
57
  // ── layout constants ───────────────────────────────────────────────────────
58
- const VERSION = "5.2.22";
58
+ const VERSION = "5.2.23";
59
59
  const W = 76; // visible chars between "│ " and " │" (total line = 80)
60
60
  // ── ANSI helpers ───────────────────────────────────────────────────────────
61
61
  const stripAnsi = (s) => s.replace(/\x1b\[[0-9;]*m/g, "");
@@ -462,7 +462,7 @@ function formatSarif(report) {
462
462
  tool: {
463
463
  driver: {
464
464
  name: "supply-chain-guard",
465
- version: "5.2.22",
465
+ version: "5.2.23",
466
466
  informationUri: "https://github.com/homeofe/supply-chain-guard",
467
467
  rules,
468
468
  },
@@ -524,7 +524,7 @@ function formatSbom(report) {
524
524
  timestamp: report.timestamp,
525
525
  tools: {
526
526
  components: [
527
- { type: "application", name: "supply-chain-guard", version: "5.2.22" },
527
+ { type: "application", name: "supply-chain-guard", version: "5.2.23" },
528
528
  ],
529
529
  },
530
530
  component: {
@@ -676,7 +676,7 @@ footer{text-align:center;padding:24px;color:#94a3b8;font-size:13px}
676
676
  ` : ""}
677
677
 
678
678
  <footer>
679
- Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.22
679
+ Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.23
680
680
  </footer>
681
681
  </div>
682
682
  <script>
package/dist/workflow-modeler.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"workflow-modeler.d.ts","sourceRoot":"","sources":["../src/workflow-modeler.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAsB1C;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,EAAE,CAoDrD"}
1
+ {"version":3,"file":"workflow-modeler.d.ts","sourceRoot":"","sources":["../src/workflow-modeler.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAsB1C;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,EAAE,CA0DrD"}
package/dist/workflow-modeler.js CHANGED
@@ -71,9 +71,15 @@ function modelWorkflows(dir) {
71
71
  recommendation: "Audit this workflow for secret-to-network paths. Minimize secret scoping.",
72
72
  });
73
73
  }
74
- // Check for untrusted actions in release paths
74
+ // Check for untrusted actions in release paths.
75
+ // v5.2.23: the unpinned-action check is scoped to actual `uses:`
76
+ // declarations. The earlier regex `/@(?:main|master|latest|dev)\b/`
77
+ // matched any occurrence anywhere in the file - including
78
+ // `npm install -g npm@latest`, which is a Node toolchain install
79
+ // step, not a GitHub Action reference. New regex requires the
80
+ // `uses: <path>@<branch>` form.
75
81
  const isReleasePath = /release|publish|deploy|npm.*publish/.test(content);
76
- const hasUnpinnedAction = /@(?:main|master|latest|dev)\b/.test(content);
82
+ const hasUnpinnedAction = /^\s*-?\s*uses:\s+\S+@(?:main|master|latest|dev)\b/im.test(content);
77
83
  if (isReleasePath && hasUnpinnedAction) {
78
84
  findings.push({
79
85
  rule: "WORKFLOW_UNTRUSTED_ACTION_IN_RELEASE_PATH",
package/dist/workflow-modeler.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"workflow-modeler.js","sourceRoot":"","sources":["../src/workflow-modeler.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BH,wCAoDC;AA/ED,4CAA8B;AAC9B,gDAAkC;AAuBlC;;GAEG;AACH,SAAgB,cAAc,CAAC,GAAW;IACxC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAE3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEjD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC1C,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,qBAAqB,IAAI,EAAE,CAAC;YAE5C,mCAAmC;YACnC,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3D,MAAM,gBAAgB,GAAG,sDAAsD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9F,MAAM,SAAS,GAAG,wDAAwD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzF,IAAI,YAAY,IAAI,gBAAgB,EAAE,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,gCAAgC;oBACtC,WAAW,EAAE,aAAa,IAAI,+FAA+F;oBAC7H,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,OAAO;oBACb,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,2EAA2E;iBAC5F,CAAC,CAAC;YACL,CAAC;YAED,+CAA+C;YAC/C,MAAM,aAAa,GAAG,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC1E,MAAM,iBAAiB,GAAG,+BAA+B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAExE,IAAI,aAAa,IAAI,iBAAiB,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,2CAA2C;oBACjD,WAAW,EAAE,aAAa,IAAI,2EAA2E;oBACzG,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,OAAO;oBACb,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,gGAAgG;iBACjH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IAEtB,OAAO,QAAQ,CAAC;AAClB,CAAC"}
1
+ {"version":3,"file":"workflow-modeler.js","sourceRoot":"","sources":["../src/workflow-modeler.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BH,wCA0DC;AArFD,4CAA8B;AAC9B,gDAAkC;AAuBlC;;GAEG;AACH,SAAgB,cAAc,CAAC,GAAW;IACxC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAE3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEjD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC1C,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,qBAAqB,IAAI,EAAE,CAAC;YAE5C,mCAAmC;YACnC,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3D,MAAM,gBAAgB,GAAG,sDAAsD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9F,MAAM,SAAS,GAAG,wDAAwD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzF,IAAI,YAAY,IAAI,gBAAgB,EAAE,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,gCAAgC;oBACtC,WAAW,EAAE,aAAa,IAAI,+FAA+F;oBAC7H,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,OAAO;oBACb,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,2EAA2E;iBAC5F,CAAC,CAAC;YACL,CAAC;YAED,gDAAgD;YAChD,iEAAiE;YACjE,oEAAoE;YACpE,0DAA0D;YAC1D,iEAAiE;YACjE,8DAA8D;YAC9D,gCAAgC;YAChC,MAAM,aAAa,GAAG,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC1E,MAAM,iBAAiB,GAAG,qDAAqD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE9F,IAAI,aAAa,IAAI,iBAAiB,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,2CAA2C;oBACjD,WAAW,EAAE,aAAa,IAAI,2EAA2E;oBACzG,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,OAAO;oBACb,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,gGAAgG;iBACjH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IAEtB,OAAO,QAAQ,CAAC;AAClB,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "supply-chain-guard",
3
- "version": "5.2.22",
3
+ "version": "5.2.23",
4
4
  "description": "Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, VS Code extensions, GitHub Actions, IaC and Solana C2. Detects GlassWorm, Shai-Hulud, PPE attacks, dependency confusion and 120+ malware indicators. Generates CycloneDX 1.6 SBOMs and verifies SLSA provenance.",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",