UNPKG

supamend

Version:

Pluggable DevSecOps Security Scanner with 10+ scanners and multiple reporting channels

github.com/zmelliti/supamend

zmelliti/supamend

152 lines 6.57 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || (function () { var ownKeys = function(o) { ownKeys = Object.getOwnPropertyNames || function (o) { var ar = []; for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k; return ar; }; return ownKeys(o); }; return function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]); __setModuleDefault(result, mod); return result; }; })(); Object.defineProperty(exports, "__esModule", { value: true }); exports.TrivyScanner = void 0; const child_process_1 = require("child_process"); const path = __importStar(require("path")); const fs = __importStar(require("fs-extra")); class TrivyScanner { constructor() { this.name = 'trivy'; this.description = 'Scan for vulnerabilities in container images and filesystems using Trivy'; this.version = '1.0.0'; } async init(config) { // Check if trivy is available const isAvailable = await this.isAvailable(); if (!isAvailable) { throw new Error('Trivy is not installed. See https://aquasecurity.github.io/trivy/v0.18.3/getting-started/installation/'); } } async scan(repoPath, options) { return new Promise((resolve, reject) => { const results = []; const reportPath = path.join(repoPath, 'trivy-report.json'); // Prepare trivy command const args = [ 'fs', '--format', 'json', '--output', reportPath, repoPath ]; // Add severity filter if provided if (options?.severity) { args.push('--severity', options.severity); } // Add additional scan types if provided if (options?.scanTypes) { args.push('--scanners', options.scanTypes.join(',')); } const trivy = (0, child_process_1.spawn)('trivy', args); let stdout = ''; let stderr = ''; trivy.stdout.on('data', (data) => { stdout += data.toString(); }); trivy.stderr.on('data', (data) => { stderr += data.toString(); }); trivy.on('close', async (code) => { try { // Trivy returns 0 for success, 1 when vulnerabilities are found if (code === 0 || code === 1) { if (await fs.pathExists(reportPath)) { const reportContent = await fs.readFile(reportPath, 'utf-8'); const report = JSON.parse(reportContent); for (const result of report.Results || []) { for (const vuln of result.Vulnerabilities || []) { const scanResult = { id: `${this.name}-${vuln.VulnerabilityID}-${result.Target}`, type: 'vulnerability', severity: this.mapSeverity(vuln.Severity), title: vuln.Title || vuln.VulnerabilityID, description: vuln.Description || `Vulnerability in ${vuln.PkgName}`, file: result.Target, line: 0, column: 0, rule: vuln.VulnerabilityID, scanner: this.name, timestamp: new Date(), metadata: { packageName: vuln.PkgName, installedVersion: vuln.InstalledVersion, fixedVersion: vuln.FixedVersion, references: vuln.References, cvss: vuln.CVSS, cwe: vuln.CweIDs } }; results.push(scanResult); } } // Clean up report file await fs.remove(reportPath); } } resolve(results); } catch (error) { reject(new Error(`Failed to parse trivy results: ${error}`)); } }); trivy.on('error', (error) => { reject(new Error(`Trivy execution failed: ${error.message}`)); }); }); } async isAvailable() { return new Promise((resolve) => { const trivy = (0, child_process_1.spawn)('trivy', ['--version']); trivy.on('close', (code) => { resolve(code === 0); }); trivy.on('error', () => { resolve(false); }); }); } mapSeverity(severity) { switch (severity.toLowerCase()) { case 'critical': return 'critical'; case 'high': return 'high'; case 'medium': return 'medium'; case 'low': return 'low'; default: return 'low'; } } } exports.TrivyScanner = TrivyScanner; exports.default = new TrivyScanner(); //# sourceMappingURL=trivy.js.map