Circuit-Forge/circuitforge-hooks
5
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Add npm-scan to CI pipeline for supply chain security (website, snipe, kiwi frontends) #1

New issue
Open
opened 2026-06-03 20:09:21 -07:00 by pyr0ball · 0 comments
pyr0ball commented 2026-06-03 20:09:21 -07:00
Owner
Copy link

Summary

npm-scan (https://github.com/lateos-ai/npm-scan, Apache-2.0 + Commons Clause) is a supply chain security scanner for npm packages. It performs AST-level static and behavioral analysis to catch sophisticated attacks that npm audit and Snyk miss: obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, worm propagation, lifecycle hook abuse.

License

Apache-2.0 + Commons Clause — free for internal CI use, cannot be sold/redistributed as a service. CF using it in CI is explicitly in-bounds.

Scope

Add npx @lateos/npm-scan scan-lockfile as a CI step in the pre-publish / pre-release workflow for all CF products with npm-based frontends:

  • website (Nuxt 3)
  • snipe (Vue 3)
  • kiwi (Vue 3)
  • Any future Vue/Nuxt frontend

Implementation

Add to .forgejo/workflows/ (or circuitforge-hooks pre-push hook) for each affected repo:

- name: Supply chain scan
  run: npx @lateos/npm-scan scan-lockfile --format sarif --output npm-scan.sarif

Optionally upload SARIF as a build artifact for audit trail.

Policy-as-code

Add .npm-scan.yml to each repo to configure severity thresholds and allowlists for known-safe packages.

Notes

  • Zero telemetry — all scanning is local
  • 0% false positive rate reported against top-1,000 npm packages
  • v1.0.0 released June 2026, 12 stars — new but detection logic is solid
  • SBOM output (CycloneDX, SPDX) is a useful side effect for compliance
## Summary npm-scan (https://github.com/lateos-ai/npm-scan, Apache-2.0 + Commons Clause) is a supply chain security scanner for npm packages. It performs AST-level static and behavioral analysis to catch sophisticated attacks that `npm audit` and Snyk miss: obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, worm propagation, lifecycle hook abuse. ## License Apache-2.0 + Commons Clause — free for internal CI use, cannot be sold/redistributed as a service. CF using it in CI is explicitly in-bounds. ## Scope Add `npx @lateos/npm-scan scan-lockfile` as a CI step in the pre-publish / pre-release workflow for all CF products with npm-based frontends: - website (Nuxt 3) - snipe (Vue 3) - kiwi (Vue 3) - Any future Vue/Nuxt frontend ## Implementation Add to `.forgejo/workflows/` (or circuitforge-hooks pre-push hook) for each affected repo: ```yaml - name: Supply chain scan run: npx @lateos/npm-scan scan-lockfile --format sarif --output npm-scan.sarif ``` Optionally upload SARIF as a build artifact for audit trail. ## Policy-as-code Add `.npm-scan.yml` to each repo to configure severity thresholds and allowlists for known-safe packages. ## Notes - Zero telemetry — all scanning is local - 0% false positive rate reported against top-1,000 npm packages - v1.0.0 released June 2026, 12 stars — new but detection logic is solid - SBOM output (CycloneDX, SPDX) is a useful side effect for compliance
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/circuitforge-hooks#1
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?