Implement basic bun security scanner for safe chain

2026-05-26 12:10:49 +00:00 · 2025-09-05 14:19:02 +02:00 · 2025-09-05 14:19:02 +02:00 · dc3ab32078
commit dc3ab32078
parent 8450b80223
6 changed files with 420 additions and 1 deletions
--- a/packages/safe-chain-bun/package.json
+++ b/packages/safe-chain-bun/package.json
@ -0,0 +1,30 @@
+{
+  "name": "@aikidosec/safe-chain-bun",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "src/index.js",
+  "scripts": {
+    "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'"
+  },
+  "exports": {
+    ".": {
+      "bun": "./src/index.js",
+      "default": "./src/index.js"
+    }
+  },
+  "keywords": ["bun", "security", "scanner", "malware", "aikido"],
+  "author": "Aikido Security",
+  "license": "AGPL-3.0-or-later",
+  "description": "Aikido Security Scanner for Bun package manager - detects malware and security threats during package installation",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/AikidoSec/safe-chain.git",
+    "directory": "packages/safe-chain-bun"
+  },
+  "dependencies": {
+    "@aikidosec/safe-chain": "file:../safe-chain"
+  },
+  "peerDependencies": {
+    "bun": ">=1.2.21"
+  }
+}
--- a/packages/safe-chain-bun/src/index.js
+++ b/packages/safe-chain-bun/src/index.js
@ -0,0 +1,37 @@
+import { auditChanges } from "@aikidosec/safe-chain/scanning";
+
+// Bun Security Scanner for Safe-Chain
+// This is the entry point for Bun's native security scanner integration
+
+export const scanner = {
+  version: "1", // Our scanner is using version 1 of the bun security scanner API.
+
+  async scan({ packages }) {
+    const advisories = [];
+
+    try {
+      const changes = packages.map((pkg) => ({
+        name: pkg.name,
+        version: pkg.version,
+        type: "add",
+      }));
+
+      const audit = await auditChanges(changes);
+
+      if (!audit.isAllowed) {
+        for (const change of audit.disallowedChanges) {
+          advisories.push({
+            level: "fatal", // Fatal will block the installation process, this is what we want for packages that contain malware.
+            package: change.name,
+            url: null,
+            description: `Package ${change.name}@${change.version} contains known security threats (${change.reason}). Installation blocked by Safe-Chain.`,
+          });
+        }
+      }
+    } catch (error) {
+      console.warn(`Safe-Chain security scan failed: ${error.message}`);
+    }
+
+    return advisories;
+  },
+};
--- a/packages/safe-chain-bun/src/index.spec.js
+++ b/packages/safe-chain-bun/src/index.spec.js
@ -0,0 +1,140 @@
+import assert from "node:assert/strict";
+import { describe, it, mock } from "node:test";
+
+describe("Bun Scanner", async () => {
+  const mockAuditChanges = mock.fn();
+
+  // Mock the scanning module
+  mock.module("@aikidosec/safe-chain/scanning", {
+    namedExports: {
+      auditChanges: mockAuditChanges,
+    },
+  });
+
+  const { scanner } = await import("./index.js");
+
+  it("should export scanner object with version", () => {
+    assert.strictEqual(scanner.version, "1");
+    assert.strictEqual(typeof scanner.scan, "function");
+  });
+
+  it("should return empty advisories for clean packages", async () => {
+    mockAuditChanges.mock.mockImplementation(() => ({
+      allowedChanges: [{ name: "express", version: "4.18.2", type: "add" }],
+      disallowedChanges: [],
+      isAllowed: true,
+    }));
+
+    const packages = [{ name: "express", version: "4.18.2" }];
+    const result = await scanner.scan({ packages });
+
+    assert.deepEqual(result, []);
+    assert.strictEqual(mockAuditChanges.mock.callCount(), 1);
+    assert.deepEqual(mockAuditChanges.mock.calls[0].arguments[0], [
+      { name: "express", version: "4.18.2", type: "add" },
+    ]);
+  });
+
+  it("should return fatal advisory for malware packages", async () => {
+    mockAuditChanges.mock.mockImplementation(() => ({
+      allowedChanges: [],
+      disallowedChanges: [
+        {
+          name: "malicious-pkg",
+          version: "1.0.0",
+          type: "add",
+          reason: "MALWARE",
+        },
+      ],
+      isAllowed: false,
+    }));
+
+    const packages = [{ name: "malicious-pkg", version: "1.0.0" }];
+    const result = await scanner.scan({ packages });
+
+    assert.strictEqual(result.length, 1);
+    assert.deepEqual(result[0], {
+      level: "fatal",
+      package: "malicious-pkg",
+      url: null,
+      description: "Package malicious-pkg@1.0.0 contains known security threats (MALWARE). Installation blocked by Safe-Chain.",
+    });
+  });
+
+  it("should handle multiple packages with mixed results", async () => {
+    mockAuditChanges.mock.mockImplementation(() => ({
+      allowedChanges: [{ name: "express", version: "4.18.2", type: "add" }],
+      disallowedChanges: [
+        {
+          name: "malicious-pkg",
+          version: "1.0.0",
+          type: "add",
+          reason: "MALWARE",
+        },
+        {
+          name: "another-bad-pkg",
+          version: "2.1.0",
+          type: "add",
+          reason: "MALWARE",
+        },
+      ],
+      isAllowed: false,
+    }));
+
+    const packages = [
+      { name: "express", version: "4.18.2" },
+      { name: "malicious-pkg", version: "1.0.0" },
+      { name: "another-bad-pkg", version: "2.1.0" },
+    ];
+    const result = await scanner.scan({ packages });
+
+    assert.strictEqual(result.length, 2);
+    assert.strictEqual(result[0].package, "malicious-pkg");
+    assert.strictEqual(result[0].level, "fatal");
+    assert.strictEqual(result[1].package, "another-bad-pkg");
+    assert.strictEqual(result[1].level, "fatal");
+  });
+
+  it("should handle empty package list", async () => {
+    mockAuditChanges.mock.mockImplementation(() => ({
+      allowedChanges: [],
+      disallowedChanges: [],
+      isAllowed: true,
+    }));
+
+    const result = await scanner.scan({ packages: [] });
+
+    assert.deepEqual(result, []);
+    assert.deepEqual(
+      mockAuditChanges.mock.calls[mockAuditChanges.mock.callCount() - 1]
+        .arguments[0],
+      []
+    );
+  });
+
+  it("should convert Bun package format to safe-chain format correctly", async () => {
+    mockAuditChanges.mock.mockImplementation(() => ({
+      allowedChanges: [],
+      disallowedChanges: [],
+      isAllowed: true,
+    }));
+
+    const bunPackages = [
+      { name: "lodash", version: "4.17.21" },
+      { name: "@types/node", version: "20.0.0" },
+    ];
+
+    await scanner.scan({ packages: bunPackages });
+
+    const expectedChanges = [
+      { name: "lodash", version: "4.17.21", type: "add" },
+      { name: "@types/node", version: "20.0.0", type: "add" },
+    ];
+
+    assert.deepEqual(
+      mockAuditChanges.mock.calls[mockAuditChanges.mock.callCount() - 1]
+        .arguments[0],
+      expectedChanges
+    );
+  });
+});
--- a/packages/safe-chain/package.json
+++ b/packages/safe-chain/package.json
@ -15,6 +15,14 @@
    "safe-chain": "bin/safe-chain.js"
  },
  "type": "module",
+  "exports": {
+    ".": {
+      "default": "./src/main.js"
+    },
+    "./scanning": {
+      "default": "./src/scanning/audit/index.js"
+    }
+  },
  "keywords": [],
  "author": "Aikido Security",
  "license": "AGPL-3.0-or-later",