supply-chain-guard 5.2.36 → 5.2.37
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -0
- package/action.yml +8 -1
- package/dist/cli.js +1 -1
- package/dist/reporter.js +4 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -342,6 +342,21 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contri
|
|
|
342
342
|
|
|
343
343
|
## Changelog
|
|
344
344
|
|
|
345
|
+
### v5.2.37 (2026-06-27)
|
|
346
|
+
**Fix: PR-comment step crash on findings containing backticks**
|
|
347
|
+
|
|
348
|
+
The Comment on PR step built a JavaScript template literal from the scan
|
|
349
|
+
report. Because the report markdown contains backticks, the literal broke and
|
|
350
|
+
the step threw, failing the check on essentially every consumer pull request
|
|
351
|
+
(the scan logic itself was never affected). The step now reads the report from
|
|
352
|
+
a file via `fs.readFileSync` and is marked `continue-on-error`, so a comment
|
|
353
|
+
failure can never fail the scan. No rule, threat-intel, or scan-engine changes
|
|
354
|
+
in this release.
|
|
355
|
+
|
|
356
|
+
- Composite action `Comment on PR` step rewritten to read `/tmp/scg-report.txt`
|
|
357
|
+
instead of interpolating the report into an inline template literal (#27).
|
|
358
|
+
- Added `continue-on-error: true` so PR-comment failures are non-fatal.
|
|
359
|
+
|
|
345
360
|
### v5.2.36 (2026-06-25)
|
|
346
361
|
**Threat-intel update: PostCSS Tools Windows RAT npm campaign**
|
|
347
362
|
|
package/action.yml
CHANGED
|
@@ -119,9 +119,16 @@ runs:
|
|
|
119
119
|
- name: Comment on PR
|
|
120
120
|
if: inputs.comment-on-pr == 'true' && github.event_name == 'pull_request' && steps.scan.outputs.findings-count != '0'
|
|
121
121
|
uses: actions/github-script@v7
|
|
122
|
+
continue-on-error: true
|
|
122
123
|
with:
|
|
123
124
|
script: |
|
|
124
|
-
const
|
|
125
|
+
const fs = require('fs');
|
|
126
|
+
let report = '';
|
|
127
|
+
try {
|
|
128
|
+
report = fs.readFileSync('/tmp/scg-report.txt', 'utf8');
|
|
129
|
+
} catch (err) {
|
|
130
|
+
console.error('Failed to read report file:', err);
|
|
131
|
+
}
|
|
125
132
|
const { data: comments } = await github.rest.issues.listComments({
|
|
126
133
|
owner: context.repo.owner,
|
|
127
134
|
repo: context.repo.repo,
|
package/dist/cli.js
CHANGED
|
@@ -20,7 +20,7 @@ const program = new commander_1.Command();
|
|
|
20
20
|
program
|
|
21
21
|
.name("supply-chain-guard")
|
|
22
22
|
.description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
|
|
23
|
-
.version("5.2.
|
|
23
|
+
.version("5.2.37");
|
|
24
24
|
// ── scan command ────────────────────────────────────────────────────
|
|
25
25
|
program
|
|
26
26
|
.command("scan")
|
package/dist/reporter.js
CHANGED
|
@@ -55,7 +55,7 @@ function formatJson(report) {
|
|
|
55
55
|
function formatText(report) {
|
|
56
56
|
const lines = [];
|
|
57
57
|
// ── layout constants ───────────────────────────────────────────────────────
|
|
58
|
-
const VERSION = "5.2.
|
|
58
|
+
const VERSION = "5.2.37";
|
|
59
59
|
const W = 76; // visible chars between "│ " and " │" (total line = 80)
|
|
60
60
|
// ── ANSI helpers ───────────────────────────────────────────────────────────
|
|
61
61
|
const stripAnsi = (s) => s.replace(/\x1b\[[0-9;]*m/g, "");
|
|
@@ -462,7 +462,7 @@ function formatSarif(report) {
|
|
|
462
462
|
tool: {
|
|
463
463
|
driver: {
|
|
464
464
|
name: "supply-chain-guard",
|
|
465
|
-
version: "5.2.
|
|
465
|
+
version: "5.2.37",
|
|
466
466
|
informationUri: "https://github.com/homeofe/supply-chain-guard",
|
|
467
467
|
rules,
|
|
468
468
|
},
|
|
@@ -524,7 +524,7 @@ function formatSbom(report) {
|
|
|
524
524
|
timestamp: report.timestamp,
|
|
525
525
|
tools: {
|
|
526
526
|
components: [
|
|
527
|
-
{ type: "application", name: "supply-chain-guard", version: "5.2.
|
|
527
|
+
{ type: "application", name: "supply-chain-guard", version: "5.2.37" },
|
|
528
528
|
],
|
|
529
529
|
},
|
|
530
530
|
component: {
|
|
@@ -676,7 +676,7 @@ footer{text-align:center;padding:24px;color:#94a3b8;font-size:13px}
|
|
|
676
676
|
` : ""}
|
|
677
677
|
|
|
678
678
|
<footer>
|
|
679
|
-
Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.
|
|
679
|
+
Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.37
|
|
680
680
|
</footer>
|
|
681
681
|
</div>
|
|
682
682
|
<script>
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "supply-chain-guard",
|
|
3
|
-
"version": "5.2.
|
|
3
|
+
"version": "5.2.37",
|
|
4
4
|
"description": "Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, VS Code extensions, GitHub Actions, IaC and Solana C2. Detects GlassWorm, Shai-Hulud, PPE attacks, dependency confusion and 120+ malware indicators. Generates CycloneDX 1.6 SBOMs and verifies SLSA provenance.",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|