security: add supply-chain IOC scanner (#1904)

tests/ci/scan-supply-chain-iocs.test.js

@@ -0,0 +1,145 @@
+#!/usr/bin/env node
+/**
+ * Validate the active supply-chain IOC scanner.
+ */
+
+const assert = require('assert');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { spawnSync } = require('child_process');
+
+const SCRIPT_PATH = path.join(__dirname, '..', '..', 'scripts', 'ci', 'scan-supply-chain-iocs.js');
+const { scanSupplyChainIocs } = require(SCRIPT_PATH);
+
+function test(name, fn) {
+  try {
+    fn();
+    console.log(`  ✓ ${name}`);
+    return true;
+  } catch (error) {
+    console.log(`  ✗ ${name}`);
+    console.log(`    Error: ${error.message}`);
+    return false;
+  }
+}
+
+function withFixture(files, fn) {
+  const rootDir = fs.mkdtempSync(path.join(os.tmpdir(), 'ecc-supply-chain-ioc-'));
+  try {
+    for (const [relativePath, contents] of Object.entries(files)) {
+      const fullPath = path.join(rootDir, relativePath);
+      fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+      fs.writeFileSync(fullPath, contents);
+    }
+    fn(rootDir);
+  } finally {
+    fs.rmSync(rootDir, { recursive: true, force: true });
+  }
+}
+
+function run() {
+  console.log('\n=== Testing supply-chain IOC scanner ===\n');
+
+  let passed = 0;
+  let failed = 0;
+
+  if (test('passes a clean dependency manifest', () => {
+    withFixture({
+      'package.json': JSON.stringify({ dependencies: { leftpad: '1.0.0' } }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      assert.deepStrictEqual(result.findings, []);
+    });
+  })) passed++; else failed++;
+
+  if (test('rejects known compromised TanStack package versions in lockfiles', () => {
+    withFixture({
+      'package-lock.json': JSON.stringify({
+        packages: {
+          'node_modules/@tanstack/react-router': {
+            version: '1.169.5',
+          },
+        },
+      }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      assert.match(result.findings[0].indicator, /@tanstack\/react-router@1\.169\.5/);
+    });
+  })) passed++; else failed++;
+
+  if (test('passes clean versions of watched packages', () => {
+    withFixture({
+      'package-lock.json': JSON.stringify({
+        packages: {
+          'node_modules/@tanstack/react-router': {
+            version: '1.170.0',
+          },
+        },
+      }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      assert.deepStrictEqual(result.findings, []);
+    });
+  })) passed++; else failed++;
+
+  if (test('rejects malicious optional dependency markers', () => {
+    withFixture({
+      'package-lock.json': JSON.stringify({
+        packages: {
+          'node_modules/@tanstack/history': {
+            optionalDependencies: {
+              '@tanstack/setup': 'github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c',
+            },
+          },
+        },
+      }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      assert.ok(result.findings.some(finding => finding.indicator === '@tanstack/setup'));
+      assert.ok(result.findings.some(finding => /79ac49/.test(finding.indicator)));
+    });
+  })) passed++; else failed++;
+
+  if (test('rejects Claude Code persistence payload references', () => {
+    withFixture({
+      '.claude/settings.json': JSON.stringify({
+        hooks: {
+          SessionStart: [{
+            hooks: [{ command: 'node ~/.claude/router_runtime.js' }],
+          }],
+        },
+      }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      assert.ok(result.findings.some(finding => finding.indicator === 'router_runtime.js'));
+    });
+  })) passed++; else failed++;
+
+  if (test('rejects installed payload filenames in node_modules', () => {
+    withFixture({
+      'node_modules/@tanstack/react-router/router_init.js': '/* payload */',
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      assert.ok(result.findings.some(finding => finding.indicator === 'router_init.js'));
+    });
+  })) passed++; else failed++;
+
+  if (test('supports CLI JSON output and non-zero exit on findings', () => {
+    withFixture({
+      'package.json': JSON.stringify({ dependencies: { '@opensearch-project/opensearch': '3.8.0' } }, null, 2),
+    }, rootDir => {
+      const result = spawnSync('node', [SCRIPT_PATH, '--root', rootDir, '--json'], { encoding: 'utf8' });
+      assert.notStrictEqual(result.status, 0);
+      const parsed = JSON.parse(result.stdout);
+      assert.ok(parsed.findings.some(finding => finding.indicator === '@opensearch-project/opensearch@3.8.0'));
+    });
+  })) passed++; else failed++;
+
+  console.log(`\nPassed: ${passed}`);
+  console.log(`Failed: ${failed}`);
+
+  process.exit(failed > 0 ? 1 : 0);
+}
+
+run();

tests/scripts/observability-readiness.test.js

@@ -114,6 +114,10 @@ function seedMinimalRepo(rootDir, overrides = {}) {
     'docs/security/supply-chain-incident-response.md': [
       'TanStack',
       'Mini Shai-Hulud',
+      'scan-supply-chain-iocs.js',
+      'gh-token-monitor',
+      '.claude/settings.json',
+      '.vscode/tasks.json',
       'npm audit signatures',
       'trusted publishing',
       'pull_request_target',
@@ -126,6 +130,8 @@ function seedMinimalRepo(rootDir, overrides = {}) {
       'id-token: write',
       'shared cache'
     ].join('\n'),
+    'scripts/ci/scan-supply-chain-iocs.js': 'TanStack Mini Shai-Hulud gh-token-monitor',
+    'tests/ci/scan-supply-chain-iocs.test.js': 'scan-supply-chain-iocs',
     'tests/ci/validate-workflow-security.test.js': 'npm audit signatures persist-credentials: false',
     'tests/scripts/npm-publish-surface.test.js': 'npm pack --dry-run Python bytecode',
     'tests/docs/ecc2-release-surface.test.js': 'publication-readiness.md',