🔍 NPM Security Scanner

A comprehensive security tool for detecting compromised NPM packages and malicious code patterns in development projects. Recursively scans package.json, lockfiles, and installed packages to identify known security threats.

🚨 What It Detects

• Compromised Package Versions: Specific versions known to contain malicious code
• Malicious Code Patterns: Hidden malware signatures using regex patterns
• Multiple Package Formats: package.json, package-lock.json, yarn.lock, and node_modules
• Nested Dependencies: Deep scanning of dependency trees
• Scoped Packages: Full support for @scope/package naming

🚀 Quick Start

Installation

# Install from PyPI (when published)
pip install npm-security-scanner

# Or install from source
git clone https://github.com/reddcoin-project/npm-security-scanner.git
cd npm-security-scanner
pip install -e .

Basic Usage

# Scan current directory
npm-security-scanner .

# Scan specific project
npm-security-scanner /path/to/your/project

# Verbose output with debugging info
npm-security-scanner /path/to/project --verbose

# Generate JSON report
npm-security-scanner /path/to/project --report results.json

# Generate SARIF report for CI/CD
npm-security-scanner /path/to/project --sarif results.sarif

📋 Features

🔍 Comprehensive Scanning

• Package.json Analysis: Detects compromised packages in dependencies, devDependencies, peerDependencies, and optionalDependencies
• Lockfile Inspection: Supports both npm v6 and v7+ package-lock.json formats
• Yarn Support: Parses yarn.lock files for compromised packages
• Installed Package Verification: Directly inspects node_modules directories
• Nested Dependencies: Recursively scans nested node_modules up to configurable depth

🎯 Known Threats Detection

The scanner currently detects these compromised package versions:

• chalk@5.6.1 - Malicious terminal styling package
• debug@4.4.2 - Compromised debugging utility
• strip-ansi@7.1.1 - Malicious ANSI string stripper
• ansi-styles@6.2.2 - Compromised ANSI styling
• And 15+ more packages

🕵️ Malicious Code Detection

Uses ripgrep to search for known malicious patterns:

• _0x112fa8 - Common obfuscation pattern used in NPM malware
• Configurable pattern matching for new threats

📊 Progress Tracking

• Real-time Progress Bar: Shows 0-100% completion with ETA
• Directory Counting: Pre-calculates total scope for accurate progress
• Performance Metrics: Displays scan time and directories processed

📋 Multiple Report Formats

JSON Reports

npm-security-scanner /path/to/project --report findings.json

SARIF Reports (CI/CD Integration)

npm-security-scanner /path/to/project --sarif results.sarif

SARIF reports integrate with:

• GitHub Security Tab - Shows findings as security alerts
• Azure DevOps - Displays results in pull requests
• GitLab - Integrates with security dashboards
• VS Code - Shows inline warnings/errors
• Enterprise Security Platforms (Veracode, SonarQube, etc.)

🔧 Command Line Options

npm-security-scanner [OPTIONS] ROOT_PATH

Arguments:
  ROOT_PATH                 Root path to scan recursively

Options:
  --version                 Show version and exit
  --verbose, -v            Enable verbose debug output
  --report FILE, -r FILE   Generate JSON report file
  --sarif FILE, -s FILE    Generate SARIF report for CI/CD integration
  --max-depth DEPTH        Maximum depth for nested node_modules (default: 10)
  --help                   Show this message and exit

🔄 CI/CD Integration

GitHub Actions

name: NPM Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.10'
          
      - name: Install NPM Security Scanner
        run: pip install npm-security-scanner
        
      - name: Run Security Scan
        run: npm-security-scanner . --sarif results.sarif
        
      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: results.sarif

Azure DevOps

- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.10'

- script: |
    pip install npm-security-scanner
    npm-security-scanner $(Build.SourcesDirectory) --sarif $(Agent.TempDirectory)/results.sarif
  displayName: 'NPM Security Scan'

- task: PublishTestResults@2
  inputs:
    testResultsFormat: 'SARIF'
    testResultsFiles: '$(Agent.TempDirectory)/results.sarif'

🧪 Development & Testing

Running Tests

# Install development dependencies
pip install -e ".[dev]"

# Run tests
pytest

# Run tests with coverage
pytest --cov=npm_security_scanner --cov-report=html

# Run specific test file
pytest tests/test_scanner.py -v

Code Quality

# Format code
black npm_security_scanner tests

# Lint code
flake8 npm_security_scanner tests

# Type checking
mypy npm_security_scanner

Testing with Example Project

The repository includes a test project with intentionally compromised packages:

# Test on example project (should find issues)
npm-security-scanner examples/test_project --verbose

# Should detect:
# - chalk@5.6.1 in package.json dependencies
# - debug@4.4.2 in installed packages
# - Multiple _0x112fa8 malicious code patterns

📚 API Usage

from npm_security_scanner import NPMSecurityScanner

# Create scanner instance
scanner = NPMSecurityScanner("/path/to/project", verbose=True)

# Run scan
scanner.scan_recursive()

# Check results
if scanner.findings:
    print(f"Found {len(scanner.findings)} security issues!")
    
    # Generate reports
    scanner.generate_report("findings.json")
    scanner.generate_sarif_report("results.sarif")
else:
    print("No security issues found!")

🛡️ Security Context

This tool is designed for defensive security purposes only:

• ✅ Detecting compromised packages in existing codebases
• ✅ Analyzing potential security threats in dependencies
• ✅ Generating security reports for compliance
• ✅ Integrating with CI/CD pipelines for automated scanning

The tool helps developers and security teams proactively identify supply chain attacks targeting the NPM ecosystem.

📊 Exit Codes

• 0 - No compromised packages found
• 1 - Compromised packages detected (security alert)

This allows easy integration with CI/CD pipelines that can fail builds when security issues are found.

🤝 Contributing

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Make your changes
4. Add tests for new functionality
5. Run the test suite (pytest)
6. Commit your changes (git commit -m 'Add amazing feature')
7. Push to the branch (git push origin feature/amazing-feature)
8. Open a Pull Request

Reporting Security Issues

For security vulnerabilities, please email security@example.com instead of using the public issue tracker.

📝 License

This project is licensed under the MIT License - see the LICENSE file for details.

🙏 Acknowledgments

• Built for the security community to combat NPM supply chain attacks
• Uses ripgrep for high-performance pattern matching
• Follows SARIF 2.1.0 specification for security reporting
• Inspired by the need for better NPM package security tooling

📞 Support

• 📚 Documentation
• 🐛 Issue Tracker
• 💬 Discussions

---

⚠️ Stay vigilant against supply chain attacks! ⚠️