aegis-scan 0.3.0

Supply chain security CLI for npm — detect malicious packages before installing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

# Troubleshooting

Common issues and solutions for Aegis.

---

## "Rate limit exceeded" from GitHub API

The provenance analyzer compares npm tarball contents against the GitHub source repository. Unauthenticated requests are limited to 60/hour by GitHub.

**Fix:** Set a `GITHUB_TOKEN` environment variable with a personal access token (no special scopes required):

```bash
export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aegis-scan check some-package
```

In CI, use a repository secret:

```yaml
env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```

---

## False positive on a legitimate package

If a package triggers a finding you believe is incorrect, you have two options:

**Option 1 -- Ignore a specific rule for one scan:**

```bash
aegis-scan check my-package --ignore-rule STATIC-001
```

You can pass `--ignore-rule` multiple times to suppress several rules.

**Option 2 -- Create an `.aegisignore` file** in your project root to persistently ignore specific packages or rules:

```
# Ignore a specific package entirely
lodash
@types/node

# Ignore a specific rule ID
rule:STATIC-001
rule:OBFUSC-001
```

---

## Scan is slow on large projects

A full project scan checks every dependency in `package.json`. Several options can speed things up:

**Skip devDependencies:**

```bash
aegis-scan scan . --skip-dev
```

**Understand caching:** Results are cached locally in `~/.aegis/cache/` with a 24-hour TTL. Repeated scans of the same package version will be nearly instant.

**Force a fresh scan** if you suspect stale cache data:

```bash
aegis-scan check axios --no-cache
```

**Clear the entire cache:**

```bash
aegis-scan cache clear
```

---

## Binary not found after `cargo install`

After running `cargo install aegis-scan`, the `aegis-scan` binary is placed in `~/.cargo/bin/`.

**Fix:** Make sure `~/.cargo/bin` is in your `PATH`:

```bash
# bash / zsh
export PATH="$HOME/.cargo/bin:$PATH"

# Verify
which aegis-scan
```

Add the export line to your shell profile (`~/.bashrc`, `~/.zshrc`, etc.) to make it permanent.

---

## SARIF output not showing in GitHub Security tab

The SARIF format integrates with GitHub's code scanning alerts. If results are not appearing:

1. **Generate SARIF output** in your workflow:

   ```yaml
   - name: Run Aegis
     run: aegis-scan scan . --sarif > results.sarif

   - name: Upload SARIF
     uses: github/codeql-action/upload-sarif@v3
     with:
       sarif_file: results.sarif
   ```

   Or use the official action with `sarif: 'true'`:

   ```yaml
   - uses: z8run/aegis-action@v1
     with:
       path: '.'
       sarif: 'true'
   ```

2. **Check repository settings:** Go to Settings > Code security and analysis and confirm that "Code scanning" is enabled.

3. **Check permissions:** The workflow needs `security-events: write` permission to upload SARIF results.

---

## "Package not found" error

This means the package could not be fetched from the npm registry.

**Common causes:**

- Typo in the package name. Double-check spelling, especially for scoped packages (`@scope/name`).
- The package is private or unpublished. Aegis queries the public npm registry at `https://registry.npmjs.org`.
- Temporary npm registry outage. Check [status.npmjs.org](https://status.npmjs.org).

```bash
# Verify the package exists
npm view some-package version
```

---

## High risk score on a known-good package

The risk score (0--10) is a weighted sum of all findings. A high score does not necessarily mean a package is malicious -- it means Aegis detected patterns that warrant review.

**How scoring works:**

| Severity | Weight per finding |
|---|---|
| Critical | 3.0 |
| High | 1.5 |
| Medium | 0.5 |
| Low | 0.1 |

A package with several medium-severity findings (e.g., legitimate network calls and file writes) can accumulate a moderate score. Review the individual findings listed in the output to decide whether they represent actual risk in your context.

| Score | Label |
|---|---|
| 0--1 | CLEAN |
| 1--3 | LOW RISK |
| 3--5 | MEDIUM RISK |
| 5--7 | HIGH RISK |
| 7--10 | DO NOT INSTALL |

---

## Colors not showing or garbled output

Aegis uses the `colored` crate for terminal output, which respects the `NO_COLOR` standard.

**Disable colors** if your terminal does not support ANSI escape codes:

```bash
NO_COLOR=1 aegis-scan check axios
```

**Piping or redirecting output** automatically disables colors in most terminals. If colors still appear in piped output, set `NO_COLOR=1` explicitly.

**Windows:** Colors work in Windows Terminal and PowerShell. The legacy `cmd.exe` console may not render ANSI codes correctly -- use Windows Terminal instead, or set `NO_COLOR=1`.