aegis-scan 0.3.0

Supply chain security CLI for npm — detect malicious packages before installing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

# Contributing to Aegis

Thank you for your interest in contributing to Aegis! This guide will help you get set up and productive quickly.

## Development Environment

### Prerequisites

- **Rust toolchain** (stable) -- install via [rustup](https://rustup.rs/)
- **Git**

### Setup

```bash
git clone https://github.com/z8run/aegis.git
cd aegis
cargo build
cargo test
```

### Running Locally

```bash
# Check a package
cargo run -- check axios

# Scan a project
cargo run -- scan /path/to/project

# With debug logging
cargo run -- -v check lodash
```

## Project Structure

```
src/
  main.rs           # CLI definition, entry point, check/scan commands
  types.rs          # Core types: Finding, Severity, AnalysisReport, RiskLabel
  cache.rs          # Local result caching
  registry/
    client.rs       # npm registry API client
    tarball.rs      # Tarball download and extraction
  analyzers/
    mod.rs          # Analyzer trait definition
    static_code.rs  # Regex-based pattern matching
    ast.rs          # Tree-sitter AST analysis
    install_scripts.rs  # Suspicious install script detection
    obfuscation.rs  # Obfuscated code detection
    maintainer.rs   # Maintainer change tracking
    diff.rs         # Version diff analysis
    hallucination.rs # AI hallucination package detection
    cve.rs          # CVE lookup via OSV.dev
    deptree.rs      # Dependency tree scanning
  rules/
    loader.rs       # YAML rule loading and built-in rules
    engine.rs       # Rules engine (compiles YAML rules to regex matchers)
  scoring/
    calculator.rs   # Risk score calculation and labeling
  output/
    terminal.rs     # Tree-style terminal output
    json.rs         # JSON output for CI
rules/
  examples/         # Example community YAML rules
```

## How to Add a New Analyzer

1. Create a new file in `src/analyzers/`, e.g. `src/analyzers/my_analyzer.rs`.

2. Implement the `Analyzer` trait:

```rust
use std::path::PathBuf;
use crate::analyzers::Analyzer;
use crate::types::{Finding, FindingCategory, Severity};

pub struct MyAnalyzer;

impl Analyzer for MyAnalyzer {
    fn analyze(
        &self,
        files: &[(PathBuf, String)],
        package_json: &serde_json::Value,
    ) -> Vec<Finding> {
        let mut findings = Vec::new();
        // Your detection logic here
        findings
    }
}
```

3. Register the module in `src/analyzers/mod.rs`:

```rust
pub mod my_analyzer;
```

4. Add it to the analyzer list in `src/main.rs` inside `analyze_package()`:

```rust
let all_analyzers: Vec<Box<dyn Analyzer>> = vec![
    // ...existing analyzers...
    Box::new(analyzers::my_analyzer::MyAnalyzer),
];
```

5. Write tests in the same file or in a separate test module.

## How to Add YAML Rules

YAML rules do not require any Rust code changes. Simply create a `.yml` file with the following format:

```yaml
id: "CUSTOM-001"
name: "Rule name"
description: "What this rule detects"
severity: high          # critical, high, medium, low, info
category: suspicious    # code_execution, network_access, process_spawn, etc.
pattern: "regex_here"   # Regex pattern matched against each line
file_pattern: "*.js"    # Optional: glob to filter files
exclude_paths:          # Optional: paths to skip
  - "node_modules/"
  - "test/"
```

Place the file in the `rules/` directory and it will be loaded automatically at runtime.

See `rules/examples/` for working examples. Run the test suite after adding rules to make sure your regex patterns compile:

```bash
cargo test
```

## Code Style

- **Format** all code with `rustfmt` before committing:

  ```bash
  cargo fmt
  ```

- **Lint** with Clippy and fix any warnings:

  ```bash
  cargo clippy -- -W clippy::all
  ```

- Keep functions focused and well-documented. Public items should have doc comments (`///`).
- Prefer returning `Vec<Finding>` over mutating shared state.
- Use `anyhow::Result` for fallible operations and `thiserror` for custom error types.

## Pull Request Process

1. **Fork** the repository and create a feature branch from `main`.
2. Make your changes, including tests for new functionality.
3. Ensure all checks pass:

   ```bash
   cargo fmt --check
   cargo clippy -- -W clippy::all
   cargo test
   ```

4. Write a clear PR description explaining what the change does and why.
5. One approval from a maintainer is required to merge.

## Reporting Issues

- Use [GitHub Issues](https://github.com/z8run/aegis/issues) for bugs and feature requests.
- For security vulnerabilities, please email security@z8run.dev instead of opening a public issue.

Thank you for helping make the npm ecosystem safer!