UNPKG

@dreamhorizonorg/sentinel

Version:

Open-source, zero-dependency tool that blocks compromised packages BEFORE download. Built to counter supply chain and credential theft attacks like Shai-Hulud.

github.com/ds-horizon/sentinel

ds-horizon/sentinel

79 lines (65 loc) 2.09 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
/** * Vulnerability Providers * Central registry and manager for all vulnerability providers */ import { OSVProvider } from './osv.provider.mjs'; import { GitHubAdvisoriesProvider } from './github-advisories.provider.mjs'; import { SnykProvider } from './snyk.provider.mjs'; /** * All available providers */ export const PROVIDERS = { OSV: OSVProvider, GITHUB: GitHubAdvisoriesProvider, SNYK: SnykProvider }; /** * Get enabled providers from config */ export function getEnabledProviders(config = {}) { const providers = []; const providersConfig = config.providers ?? {}; // OSV (enabled by default) if (providersConfig.osv?.enabled !== false) { providers.push(new OSVProvider()); } // GitHub Advisories (enabled by default) if (providersConfig.github?.enabled !== false) { providers.push(new GitHubAdvisoriesProvider()); } // Snyk (disabled by default, requires token) if (providersConfig.snyk?.enabled === true) { providers.push(new SnykProvider()); } return providers; } /** * Check package against all enabled providers * Returns first vulnerability found (most severe) */ export async function checkWithProviders(packageName, version = null, config = {}) { const providers = getEnabledProviders(config); const providersConfig = config.providers ?? {}; if (providers.length === 0) { return { found: false }; } // Check all providers in parallel const results = await Promise.allSettled( providers.map(provider => { // Map provider name to config key let configKey = provider.name.toLowerCase().replace(/\s+/g, ''); if (configKey === 'githubadvisories') { configKey = 'github'; } const providerConfig = providersConfig[configKey] ?? {}; return provider.check(packageName, version, { ...config, ...providerConfig }); }) ); // Find first vulnerability (providers are ordered by priority) for (const result of results) { if (result.status === 'fulfilled' && result.value.found) { return result.value; } } return { found: false }; }