NPM.Provenance (NPM v0.6.0)

Supply chain provenance checking for npm packages.

Validates SLSA provenance attestations, checks build source transparency, and identifies packages published from CI.

Summary

Functions

format_summary(summary)

Formats the risk summary for display.

has_integrity?(entry)

Validates that a package has integrity hash.

has_provenance?(entry)

Checks if a package entry has provenance information.

risk_summary(lockfile)

Returns a supply chain risk summary for the lockfile.

scan(lockfile)

Scans a lockfile for packages with/without provenance.

trusted_registry?(registry_url)

Checks if a package's registry is trusted.

Functions

format_summary(summary)

@spec format_summary(map()) :: String.t()

Formats the risk summary for display.

has_integrity?(entry)

@spec has_integrity?(map()) :: boolean()

Validates that a package has integrity hash.

has_provenance?(entry)

@spec has_provenance?(map()) :: boolean()

Checks if a package entry has provenance information.

risk_summary(lockfile)

@spec risk_summary(map()) :: map()

Returns a supply chain risk summary for the lockfile.

scan(lockfile)

@spec scan(map()) :: %{with_provenance: [String.t()], without: [String.t()]}

Scans a lockfile for packages with/without provenance.

trusted_registry?(registry_url)

@spec trusted_registry?(String.t()) :: boolean()

Checks if a package's registry is trusted.