supply-chain-guard 5.2.22 → 5.2.24

package/README.md

@@ -342,6 +342,49 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contri
 
 ## Changelog
 
+### v5.2.24 (2026-05-24)
+**`RISK_TRAJECTORY_UNSTABLE` no longer flags monotone improvement as instability**
+
+The risk-forecast engine used `Math.abs(slope) > 5` to detect "volatile risk", which conflated two opposite situations:
+
+- Score rising fast (real degradation) → should fire
+- Score falling fast (active remediation) → should NOT fire, that is exactly what we want
+- Score bouncing back and forth (true volatility) → should fire
+
+The v5.2.23 self-scan reported "slope -13.9/scan, highly volatile" after six consecutive releases each fixing real bugs - a strict monotone decrease being labelled as instability.
+
+The detection is now split into orthogonal concerns:
+
+- `RISK_TRAJECTORY_DEGRADING` (severity high): `slope > +5`, score consistently rising
+- `RISK_TRAJECTORY_UNSTABLE` (severity medium): high stdev around the linear-fit trend **and** at least 2 direction reversals in the sequence (true oscillation, not just non-linear improvement)
+- Fast improvement (`slope < -5` with no oscillation): silent, surfaced in the score itself
+
+5 new tests in `bugfix-v5_2_24.test.ts` verify:
+- Strict monotone decrease (including the v5.2.18-v5.2.23 release trajectory) does NOT fire UNSTABLE
+- Fast-rising score DOES fire DEGRADING
+- Real oscillation (e.g. `[20, 80, 25, 75, 30, 70]`) DOES fire UNSTABLE
+- Stable flat trajectory fires neither
+
+Expected impact on the self-scan: drops the spurious `RISK_TRAJECTORY_UNSTABLE` finding. Score should fall from 17/MEDIUM to roughly 5-10/LOW.
+
+### v5.2.23 (2026-05-24)
+**Fix `WORKFLOW_UNTRUSTED_ACTION_IN_RELEASE_PATH` false positive on `npm@latest`**
+
+The unpinned-action detector in `workflow-modeler.ts` was firing on any `@latest` / `@main` / `@master` / `@dev` substring anywhere in a workflow file - including the `npm install -g npm@latest` step that v5.2.20 introduced as part of the OIDC trusted-publishing setup. That's a Node toolchain install, not a GitHub Action reference.
+
+The regex is now scoped to actual `uses: <action>@<branch>` declarations using a line-anchored, case-insensitive multiline match:
+
+```ts
+/^\s*-?\s*uses:\s+\S+@(?:main|master|latest|dev)\b/im
+```
+
+4 new tests in `bugfix-v5_2_23.test.ts` verify:
+- `npm install -g npm@latest` no longer triggers
+- Real `uses: actions/checkout@main` / `@master` / `@latest` / `@dev` still triggers
+- Commit-SHA pinning (the v5.2.22 fix) stays clean
+
+Expected impact on the self-scan: the last false-positive CRITICAL is gone. Remaining 2 mediums (`GHA_OIDC_WRITE_PERM` for Trusted Publishing, `WORKFLOW_SECRET_TO_UPLOAD_PATH` for `secrets.GITHUB_TOKEN` access in the GitHub Release step) are honest by-design tradeoffs.
+
 ### v5.2.22 (2026-05-24)
 **Self-scan polish: comment-aware GHA scan, pinned actions, fix changelog self-trigger**
 

package/dist/cli.js

@@ -20,7 +20,7 @@ const program = new commander_1.Command();
 program
     .name("supply-chain-guard")
     .description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
-    .version("5.2.22");
+    .version("5.2.24");
 // ── scan command ────────────────────────────────────────────────────
 program
     .command("scan")

package/dist/reporter.js

@@ -55,7 +55,7 @@ function formatJson(report) {
 function formatText(report) {
     const lines = [];
     // ── layout constants ───────────────────────────────────────────────────────
-    const VERSION = "5.2.22";
+    const VERSION = "5.2.24";
     const W = 76; // visible chars between "│ " and " │" (total line = 80)
     // ── ANSI helpers ───────────────────────────────────────────────────────────
     const stripAnsi = (s) => s.replace(/\x1b\[[0-9;]*m/g, "");
@@ -462,7 +462,7 @@ function formatSarif(report) {
                 tool: {
                     driver: {
                         name: "supply-chain-guard",
-                        version: "5.2.22",
+                        version: "5.2.24",
                         informationUri: "https://github.com/homeofe/supply-chain-guard",
                         rules,
                     },
@@ -524,7 +524,7 @@ function formatSbom(report) {
             timestamp: report.timestamp,
             tools: {
                 components: [
-                    { type: "application", name: "supply-chain-guard", version: "5.2.22" },
+                    { type: "application", name: "supply-chain-guard", version: "5.2.24" },
                 ],
             },
             component: {
@@ -676,7 +676,7 @@ footer{text-align:center;padding:24px;color:#94a3b8;font-size:13px}
   ` : ""}
 
   <footer>
-    Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.22
+    Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.24
   </footer>
 </div>
 <script>

package/dist/risk-forecast.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"risk-forecast.d.ts","sourceRoot":"","sources":["../src/risk-forecast.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE5D;;GAEG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,gBAAgB,EAAE,EAC3B,YAAY,EAAE,MAAM,GACnB,OAAO,EAAE,CA6CX"}
+{"version":3,"file":"risk-forecast.d.ts","sourceRoot":"","sources":["../src/risk-forecast.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE5D;;GAEG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,gBAAgB,EAAE,EAC3B,YAAY,EAAE,MAAM,GACnB,OAAO,EAAE,CA6FX"}

package/dist/risk-forecast.js

@@ -38,14 +38,59 @@ function forecastRisk(history, currentScore) {
             recommendation: "Risk trajectory is heading toward critical. Proactive remediation recommended now.",
         });
     }
-    if (Math.abs(slope) > 5) {
+    // v5.2.24: split trajectory analysis into direction (slope sign) and
+    // volatility (residuals from the linear fit). Previously a single
+    // |slope| > 5 check flagged "unstable" both for runaway-bad trends and
+    // for fast-improving trends - the latter is the opposite of unstable.
+    // The self-scan on v5.2.23 reported -13.9/scan as "highly volatile"
+    // even though every release that day strictly improved the score.
+    // Compute stdev of residuals from the linear regression line.
+    // High stdev means the score bounces unpredictably around the trend.
+    let sumSq = 0;
+    for (let i = 0; i < n; i++) {
+        const predicted = yMean + slope * (i - xMean);
+        const residual = recent[i].score - predicted;
+        sumSq += residual * residual;
+    }
+    const stdev = Math.sqrt(sumSq / n);
+    if (slope > 5) {
+        // Getting worse fast - real degradation worth flagging.
+        findings.push({
+            rule: "RISK_TRAJECTORY_DEGRADING",
+            description: `Risk score is rising fast (slope: +${slope.toFixed(1)}/scan). Security posture is worsening over the last ${n} scans.`,
+            severity: "high",
+            confidence: 0.6,
+            category: "trust",
+            recommendation: "Investigate the cause of the upward trend. Recent commits, dependency updates, or new findings should be triaged immediately.",
+        });
+    }
+    // Fast-improving trend (slope < -5) emits no finding - it is the
+    // outcome we want, surfaced silently in the score itself.
+    // Count direction changes in the sequence. A monotonic sequence (always
+    // dropping or always rising) has 0 direction changes even if the rate is
+    // non-linear (e.g. flat then a knee). True volatility requires the score
+    // to actually reverse direction, not just decelerate or accelerate.
+    let directionChanges = 0;
+    let lastDelta = 0;
+    for (let i = 1; i < n; i++) {
+        const delta = recent[i].score - recent[i - 1].score;
+        if (lastDelta !== 0 && delta !== 0 && Math.sign(delta) !== Math.sign(lastDelta)) {
+            directionChanges++;
+        }
+        if (delta !== 0)
+            lastDelta = delta;
+    }
+    if (stdev > 10 && directionChanges >= 2) {
+        // True volatility: high residuals AND multiple direction reversals.
+        // The score bounces back and forth instead of moving consistently
+        // in one direction. This is what "unstable" was meant to detect.
         findings.push({
             rule: "RISK_TRAJECTORY_UNSTABLE",
-            description: `Risk score is highly volatile (slope: ${slope > 0 ? "+" : ""}${slope.toFixed(1)}/scan). Unstable risk indicates inconsistent security practices.`,
+            description: `Risk score is volatile (stdev ${stdev.toFixed(1)} around trend, ${directionChanges} direction reversals). Score bounces unpredictably across scans.`,
             severity: "medium",
             confidence: 0.5,
             category: "trust",
-            recommendation: "Stabilize risk by implementing consistent policies and baseline enforcement.",
+            recommendation: "Stabilize risk by implementing consistent policies and baseline enforcement. Investigate why scores fluctuate.",
         });
     }
     return findings;

package/dist/risk-forecast.js.map

@@ -1 +1 @@
-{"version":3,"file":"risk-forecast.js","sourceRoot":"","sources":["../src/risk-forecast.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAOH,oCAgDC;AAnDD;;GAEG;AACH,SAAgB,YAAY,CAC1B,OAA2B,EAC3B,YAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IAExC,kDAAkD;IAClD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;IACxB,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1D,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,SAAS,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC;QACrD,WAAW,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9D,yBAAyB;IACzB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC;IAE3D,IAAI,aAAa,GAAG,EAAE,IAAI,YAAY,IAAI,EAAE,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,wBAAwB;YAC9B,WAAW,EAAE,8CAA8C,aAAa,4DAA4D,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;YAC7J,QAAQ,EAAE,MAAM;YAChB,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,OAAO;YACjB,cAAc,EAAE,oFAAoF;SACrG,CAAC,CAAC;IACL,CAAC;IAED,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,0BAA0B;YAChC,WAAW,EAAE,yCAAyC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,kEAAkE;YAC/J,QAAQ,EAAE,QAAQ;YAClB,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,OAAO;YACjB,cAAc,EAAE,8EAA8E;SAC/F,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"risk-forecast.js","sourceRoot":"","sources":["../src/risk-forecast.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAOH,oCAgGC;AAnGD;;GAEG;AACH,SAAgB,YAAY,CAC1B,OAA2B,EAC3B,YAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IAExC,kDAAkD;IAClD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;IACxB,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1D,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,SAAS,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC;QACrD,WAAW,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9D,yBAAyB;IACzB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC;IAE3D,IAAI,aAAa,GAAG,EAAE,IAAI,YAAY,IAAI,EAAE,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,wBAAwB;YAC9B,WAAW,EAAE,8CAA8C,aAAa,4DAA4D,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;YAC7J,QAAQ,EAAE,MAAM;YAChB,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,OAAO;YACjB,cAAc,EAAE,oFAAoF;SACrG,CAAC,CAAC;IACL,CAAC;IAED,qEAAqE;IACrE,kEAAkE;IAClE,uEAAuE;IACvE,sEAAsE;IACtE,oEAAoE;IACpE,kEAAkE;IAElE,8DAA8D;IAC9D,qEAAqE;IACrE,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,KAAK,GAAG,KAAK,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,SAAS,CAAC;QAC7C,KAAK,IAAI,QAAQ,GAAG,QAAQ,CAAC;IAC/B,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IAEnC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,wDAAwD;QACxD,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,2BAA2B;YACjC,WAAW,EAAE,sCAAsC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uDAAuD,CAAC,SAAS;YACpI,QAAQ,EAAE,MAAM;YAChB,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,OAAO;YACjB,cAAc,EAAE,+HAA+H;SAChJ,CAAC,CAAC;IACL,CAAC;IACD,iEAAiE;IACjE,0DAA0D;IAE1D,wEAAwE;IACxE,yEAAyE;IACzE,yEAAyE;IACzE,oEAAoE;IACpE,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC;QACpD,IAAI,SAAS,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YAChF,gBAAgB,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,KAAK,KAAK,CAAC;YAAE,SAAS,GAAG,KAAK,CAAC;IACrC,CAAC;IAED,IAAI,KAAK,GAAG,EAAE,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;QACxC,oEAAoE;QACpE,kEAAkE;QAClE,iEAAiE;QACjE,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,0BAA0B;YAChC,WAAW,EAAE,iCAAiC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,gBAAgB,kEAAkE;YAClK,QAAQ,EAAE,QAAQ;YAClB,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,OAAO;YACjB,cAAc,EAAE,gHAAgH;SACjI,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/workflow-modeler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"workflow-modeler.d.ts","sourceRoot":"","sources":["../src/workflow-modeler.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAsB1C;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,EAAE,CAoDrD"}
+{"version":3,"file":"workflow-modeler.d.ts","sourceRoot":"","sources":["../src/workflow-modeler.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAsB1C;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,EAAE,CA0DrD"}

package/dist/workflow-modeler.js

@@ -71,9 +71,15 @@ function modelWorkflows(dir) {
                     recommendation: "Audit this workflow for secret-to-network paths. Minimize secret scoping.",
                 });
             }
-            // Check for untrusted actions in release paths
+            // Check for untrusted actions in release paths.
+            // v5.2.23: the unpinned-action check is scoped to actual `uses:`
+            // declarations. The earlier regex `/@(?:main|master|latest|dev)\b/`
+            // matched any occurrence anywhere in the file - including
+            // `npm install -g npm@latest`, which is a Node toolchain install
+            // step, not a GitHub Action reference. New regex requires the
+            // `uses: <path>@<branch>` form.
             const isReleasePath = /release|publish|deploy|npm.*publish/.test(content);
-            const hasUnpinnedAction = /@(?:main|master|latest|dev)\b/.test(content);
+            const hasUnpinnedAction = /^\s*-?\s*uses:\s+\S+@(?:main|master|latest|dev)\b/im.test(content);
             if (isReleasePath && hasUnpinnedAction) {
                 findings.push({
                     rule: "WORKFLOW_UNTRUSTED_ACTION_IN_RELEASE_PATH",

package/dist/workflow-modeler.js.map

@@ -1 +1 @@
-{"version":3,"file":"workflow-modeler.js","sourceRoot":"","sources":["../src/workflow-modeler.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BH,wCAoDC;AA/ED,4CAA8B;AAC9B,gDAAkC;AAuBlC;;GAEG;AACH,SAAgB,cAAc,CAAC,GAAW;IACxC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAE3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEjD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC1C,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,qBAAqB,IAAI,EAAE,CAAC;YAE5C,mCAAmC;YACnC,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3D,MAAM,gBAAgB,GAAG,sDAAsD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9F,MAAM,SAAS,GAAG,wDAAwD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzF,IAAI,YAAY,IAAI,gBAAgB,EAAE,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,gCAAgC;oBACtC,WAAW,EAAE,aAAa,IAAI,+FAA+F;oBAC7H,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,OAAO;oBACb,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,2EAA2E;iBAC5F,CAAC,CAAC;YACL,CAAC;YAED,+CAA+C;YAC/C,MAAM,aAAa,GAAG,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC1E,MAAM,iBAAiB,GAAG,+BAA+B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAExE,IAAI,aAAa,IAAI,iBAAiB,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,2CAA2C;oBACjD,WAAW,EAAE,aAAa,IAAI,2EAA2E;oBACzG,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,OAAO;oBACb,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,gGAAgG;iBACjH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IAEtB,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"workflow-modeler.js","sourceRoot":"","sources":["../src/workflow-modeler.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BH,wCA0DC;AArFD,4CAA8B;AAC9B,gDAAkC;AAuBlC;;GAEG;AACH,SAAgB,cAAc,CAAC,GAAW;IACxC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAE3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEjD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC1C,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,qBAAqB,IAAI,EAAE,CAAC;YAE5C,mCAAmC;YACnC,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3D,MAAM,gBAAgB,GAAG,sDAAsD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9F,MAAM,SAAS,GAAG,wDAAwD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzF,IAAI,YAAY,IAAI,gBAAgB,EAAE,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,gCAAgC;oBACtC,WAAW,EAAE,aAAa,IAAI,+FAA+F;oBAC7H,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,OAAO;oBACb,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,2EAA2E;iBAC5F,CAAC,CAAC;YACL,CAAC;YAED,gDAAgD;YAChD,iEAAiE;YACjE,oEAAoE;YACpE,0DAA0D;YAC1D,iEAAiE;YACjE,8DAA8D;YAC9D,gCAAgC;YAChC,MAAM,aAAa,GAAG,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC1E,MAAM,iBAAiB,GAAG,qDAAqD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE9F,IAAI,aAAa,IAAI,iBAAiB,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,2CAA2C;oBACjD,WAAW,EAAE,aAAa,IAAI,2EAA2E;oBACzG,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,OAAO;oBACb,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,gGAAgG;iBACjH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IAEtB,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "supply-chain-guard",
-  "version": "5.2.22",
+  "version": "5.2.24",
   "description": "Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, VS Code extensions, GitHub Actions, IaC and Solana C2. Detects GlassWorm, Shai-Hulud, PPE attacks, dependency confusion and 120+ malware indicators. Generates CycloneDX 1.6 SBOMs and verifies SLSA provenance.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",