• Stars
    star
    139
  • Rank 262,954 (Top 6 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created over 2 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Small tool to inform you about potential risks in project dependencies list

sdc-check

Small tool to inform you about potential risks in your project dependencies list:

  • Lock file is not safe (lockfile-is-not-safe). During the development process a malicious actor could replace URLs in a lock file to package with malicious code (it is especially dangerous because it is hard to catch in PR review)

  • The newest package version is too new (package-is-too-new). A new version of a package could be vulnerable. It might be safer to wait X days before upgrading to the new version and let community test it

  • Installation Script (install-scripts). An attacker can use installation scripts to run commands that perform malicious acts through the package installation step

  • Obfuscated code (obfuscated-code). A package contains obfuscated code which may point to attempt of hiding potentially malicious code

  • A package has OS scripts (has-os-scripts). An attacker can use .bat/.sh scripts to execute malicious actions (downloading and launching mining apps, etc)

  • A package script has shell commands (dangerous-shell-commands). Package script could have potentially dangerous commands to perform malicious actions (curl, wget, chmod, cacls, etc)

  • The newest package version is released after a long period of inactivity (released-after-long-period-of-inactivity). There is a possibility that an attacker could hijack an account and publish malicious code

  • Unmaintained Package (unmaintained-package). A package has no updates for at least one year

  • Too many decision makers (too-many-decision-makers). A package with too many maintainers/publishers will provide an attacker many targets to exploit account takeover and social engineering attacks

  • No source code repository (no-source-code). When a package has no source code repository/homepage the access to review source code is restricted, forcing users to trust a package blindly

Usage

Add to your project

Add new npm command to script section in your package.json

"scripts": {
  "sdc-check": "sdc-check -d .",
}

Use in your CI pipeline

Add new step to your pipeline

# Github Actions example:
- name: Check dependencies with sdc-check
run: yarn sdc-check

Configure

Add new "sdc-check" section in your package.json to change defaults

  • options define metrics behaviour
  • errors define set of metrics when audit should fail if those metrics won't pass
"sdc-check": {
  "options": {
    "limitOfDecisionMakers": 7,
    "daysBeforeUpgradeToNewVersion": 5,
    "monthsOfInactivityAllowed": 10
  },
  "errors": [
    "package-is-too-new",
    "lockfile-is-not-safe",
    "has-os-scripts",
    "dangerous-shell-commands"
  ]
}

Ignore errors (do it wisely)

Add .sdccheckignore to your project root directory

# Ignore errors caused by unmaintained-package metric for [email protected]
[email protected] | unmaintained-package

# Ignore all errors for [email protected]
[email protected]

# Ignore errors caused by unmaintained-package and
# released-after-long-period-of-inactivity metrics for sdc-check
sdc-check | unmaintained-package, released-after-long-period-of-inactivity

# Ignore all errors for sdc-check
sdc-check

Check npm package

Find out more about a package before adding it to your dependencies list

npx sdc-check -p ua-parser-js -v 1.0.2

Wandering what has changed in the newest version of some package?

Use npm diff command to find out

Common threats in supply chain security

  1. Malicious code injection: During the development process an attacker could add malicious code to a package codebase (it is dangerous because it may be hard to catch in PR review).

  2. Malicious package release: An attacker may publish malicious packages and hence trick other users into installing or depending on such packages.

  3. Social Engineering: An attacker may manipulate a maintainer to hand over sensitive information.

  4. Account Takeover: An attacker may compromise the credentials of a maintainer to inject malicious code under the maintainer’s name.

  5. Ownership transfer: An attacker can show enthusiasm to maintain popular abandoned packages and transfer the ownership of a package.

  6. Remote execution: An attacker may target a package by compromising the third-party services used by that package.

Roadmap

Status Name Description
To do Expired Maintainer Domain An attacker can hijack a package if a maintainer’s domain is expired (info)

Install

npm i -D sdc-check

or

yarn add -D sdc-check

Acknowledgments

License

MIT