Back to Projects

supplyscan

Scans JavaScript lockfiles for supply-chain compromises and known vulnerabilities. A single Go binary that runs as both a CLI and an MCP server.

View Source

Technologies Used

GoGoMCPMCP

About the Project

supplyscan reads JavaScript lockfiles and flags supply-chain compromises and known vulnerabilities. It aggregates indicators of compromise from DataDog, the GitHub Advisory Database, and OSV.dev, and checks for known CVEs through the npm audit API. CLI and MCP modes live in one binary, switchable with a flag, so the same scanner runs in a terminal or behind an AI agent. Written in Go and shipped as a static binary, so the scanner itself can't be compromised by the npm ecosystem it scans.

Key Features

  • Supply-chain detection by aggregating IOCs from DataDog (Shai-Hulud v2 and TeamPCP), the GitHub Advisory Database, and OSV.dev
  • Vulnerability scanning through the npm audit API for known CVEs
  • Multi-format lockfile support across npm, Yarn (classic & berry), pnpm, Bun, and Deno
  • CLI and MCP modes in a single binary, switchable with a flag
  • JSON output for scripting and CI use
  • Per-source caching with a configurable TTL so each IOC source refreshes on its own schedule
  • Shipped as a static Go binary, immune to the npm ecosystem it scans