undont/supplyscan
GitHub: undont/supplyscan
一款跨 npm 与 PyPI 生态的供应链安全扫描工具,通过解析多种 lockfile 检测恶意包入侵 IOC 与已知漏洞。
Stars: 0 | Forks: 0
# supplyscan
**扫描 JavaScript 和 Python lockfile 以检测供应链入侵和已知漏洞。**
[](https://github.com/undont/supplyscan/actions/workflows/release.yml)
[](https://github.com/undont/supplyscan/releases/latest)
[](LICENCE)
[](https://go.dev)
[](https://github.com/undont/supplyscan/releases/latest)
[](https://github.com/undont/supplyscan/releases/latest)
[](https://modelcontextprotocol.io)
[快速开始](#quick-start) · [安装](#installation) · [CLI 用法](#cli-usage) · [MCP Server](#mcp-server-integration) · [数据源](#data-sources)

## 快速开始
```
brew install undont/tap/supplyscan
supplyscan scan # scan current directory
supplyscan check lodash 4.17.20 # check an npm package
supplyscan check django 2.2.0 -e pypi # check a PyPI package
```
## 功能
- **跨 npm 和 PyPI 的供应链检测**:聚合来自 DataDog(Shai-Hulud v2 和 TeamPCP / Mini Shai-Hulud)、GitHub Advisory Database 和 OSV.dev 的 IOC,按生态系统匹配,以防止同名包发生冲突
- **漏洞扫描**:通过 npm audit API 扫描 npm,通过 OSV.dev 扫描 PyPI
- **多格式 lockfile 支持**:覆盖 npm、Yarn (classic & berry)、pnpm、Bun、Deno 和 Python (pip、Poetry、Pipenv、uv、PDM)
- **启发式建议**:针对运行安装脚本的包,以及包名或 URL 中不可见或非 ASCII 字符的检测
- **CLI 和 MCP 模式**集成于单一二进制文件中,可通过 `--mcp` 切换
- **JSON 输出**:适用于脚本和 CI 使用
- **按来源缓存**:具有可配置的 TTL,使每个 IOC 源按各自的计划刷新
### 支持的 Lockfile
| 包管理器 | Lockfile |
|-----------------|----------|
| npm | `package-lock.json`, `npm-shrinkwrap.json` |
| Yarn Classic | `yarn.lock` (v1) |
| Yarn Berry | `yarn.lock` (v2+) |
| pnpm | `pnpm-lock.yaml` |
| Bun | `bun.lock` |
| Deno | `deno.lock` |
| pip | `requirements.txt` |
| Poetry | `poetry.lock` |
| Pipenv | `Pipfile.lock` |
| uv | `uv.lock` |
| PDM | `pdm.lock` |
使用 Go 编写并作为静态二进制文件发布,因此扫描器本身不会被它所扫描的包生态系统入侵。
## 安装
### Homebrew
```
brew install undont/tap/supplyscan
```
### Go 安装
```
go install github.com/undont/supplyscan/cmd/supplyscan@latest
```
需要 Go 1.26+ 且 `$GOPATH/bin` 在你的 PATH 中。
下载二进制文件
预构建的二进制文件可从 [GitHub Releases](https://github.com/undont/supplyscan/releases) 获取: ``` # macOS (Apple Silicon) curl -L https://github.com/undont/supplyscan/releases/latest/download/supplyscan-darwin-arm64 \ -o /usr/local/bin/supplyscan && chmod +x /usr/local/bin/supplyscan # macOS (Intel) curl -L https://github.com/undont/supplyscan/releases/latest/download/supplyscan-darwin-amd64 \ -o /usr/local/bin/supplyscan && chmod +x /usr/local/bin/supplyscan # Linux (x64) curl -L https://github.com/undont/supplyscan/releases/latest/download/supplyscan-linux-amd64 \ -o /usr/local/bin/supplyscan && chmod +x /usr/local/bin/supplyscan ```从源码构建
``` git clone https://github.com/undont/supplyscan.git cd supplyscan go build -o supplyscan ./cmd/supplyscan mv supplyscan /usr/local/bin/ ```工具参数
#### `supplyscan_scan` | 参数 | 类型 | 描述 | |-----------|------|-------------| | `path` | string | 项目目录的路径 | | `include_dev` | boolean | 包含开发依赖(默认:`true`) | #### `supplyscan_check` | 参数 | 类型 | 描述 | |-----------|------|-------------| | `package` | string | 包名 | | `version` | string | 包版本 | | `ecosystem` | string | `npm`(默认)或 `pypi` | #### `supplyscan_refresh` | 参数 | 类型 | 描述 | |-----------|------|-------------| | `force` | boolean | 即使缓存是最新的也强制刷新 |标签:EVTX分析, Go, LNA, Ruby工具, WebSocket, 依赖分析, 动态分析, 文档安全, 日志审计