// npm 패키지
@stelnyx/secgate
Tiny security gate for CI/CD — orchestrates Semgrep, Gitleaks, osv-scanner, Trivy, and npm audit with a premium HTML report.
버전
4
메인테이너
1
라이선스
MIT
최초 publish
2026-05-19
publisher
doceno
tarball
124,379 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-05-19
// publisher 캠페인by doceno
이 계정에서 catch된 패키지 3건고립된 catch가 아닙니다. 동일 publisher가 2개의 다른 패키지를 추가로 발행했고, 모두 파이프라인이 catch했습니다 — 일회성이 아닌 조직적 캠페인의 형태. 아래 링크는 각 형제 catch의 분석으로 이동합니다.
// offending code· @0.2.13· 3 files flagged
llm: benign · 0.85→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).
- @0.2.13··AUTO-PUBLISHED·publisher: docenoheuristic 65/100static flags 5llm benign (0.85) via ollamanew-publisher:1dknown-actor-target:teampcp:telnyxpublisher-multi-name-burst:2invokes-secret-scannerpublic-github-pushreads-env-varspy-pip-install-runtimechild-process-spawn
→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).
// offending code· 3 files flaggedpatterns: 5
--- package/.secgate.config.example.json (excerpt) --- { "_comment": "SecGate config — drop into the root of any repo as .secgate.config.json. All fields optional; defaults shown below.", "failOn": ["critical", "high"], "_failOn": "Severities that cause exit 1. Lowercase. Common: ['critical','high'] (default), ['critical','high','medium'] (stricter), or ['critical'] (only block on the worst).", "profile": "curated", "_profile": "Confidence profile applied during HTML report rendering. 'curated' (default) demotes known-noisy rules (HTML SRI on inline scripts, base-image OS CVEs at LOW/MEDIUM, CVEs >5 years old, UNKNOWN severity) to an Informational details block. 'strict' shows everything inline. Findings are never dropped — only re-classified.", "scanners": { "semgrep": true, "gitleaks": true, "npm": true, "osv": true, "trivy": true }, "_scanners": "Toggle individual scanners. Useful for muting npm audit on Yarn/pnpm-only repos, or muting Semgrep when you have a separate SAST.", "ignore": [ "trivy-image:node:20-slim:CVE-2011-3374" ], "_ignore": "Drop findings entirely. Match against the finding signature (exact or glob, e.g. 'trivy-image:*:CVE-2011-*'). Prefer 'profile: curated' or '# secgate:ignore' inline comments over this — ignore is a sledgehammer.", "severityOverrides": [ { "rule": "html.security.audit.missing-integrity", "severity": "low" } ], "_severityOverrides": "Re-classify findings by signature pattern. Use sparingly — better to address the roo --- package/package.json (excerpt) --- { "name": "@stelnyx/secgate", "version": "0.2.13", "description": "Tiny security gate for CI/CD — orchestrates Semgrep, Gitleaks, osv-scanner, Trivy, and npm audit with a premium HTML report.", "type": "module", "bin": { "secgate": "secgate.js" }, "main": "secgate.js", "engines": { "node": ">=18" }, "files": [ "secgate.js", "lib/", "README.md", "LICENSE", "SECURITY.md", ".secgate.config.example.json" ], "keywords": [ "security", "sast", "secrets", "sca", "iac", "ci", "cd", "gate", "semgrep", "gitleaks", "trivy", "osv-scanner", "npm-audit", "devsecops" ], "author": "Stelnyx", "license": "MIT", "repository": { "type": "git", "url": "git+https://github.com/Stelnyx/SecGate.git" }, "bugs": { "url": "https://github.com/Stelnyx/SecGate/issues" }, "homepage": "https://github.com/Stelnyx/SecGate#readme", "publishConfig": { "access": "public", "provenance": true }, "scripts": { "test": "node test/engine.mjs && node test/score.mjs && SECGATE_INTERNAL_TEST=1 node test/smoke.mjs && node test/schema.mjs && node test/sarif.mjs && node test/trivy-image.mjs && node test/no-lockfile.mjs && node test/config.mjs && node test/baseline.mjs && node test/suppression.mjs && node test/confidence.mjs && node test/timeout.mjs && node test/determinism.mjs && node test/golden-secgate.mjs", "test:smoke": "SECGATE_INTERNAL_TEST=1 node test/smoke.mj --- package/secgate.js (excerpt) --- #!/usr/bin/env node import fs from "fs"; import path from "path"; import { fileURLToPath } from "url"; import { loadConfig } from "./lib/config.mjs"; import { makeFindingProcessor } from "./lib/scanners.mjs"; import { runGitleaks, runSemgrep, runOsvScanner, runTrivy, runTrivyImage, runNpmAudit } from "./lib/scanners.mjs"; import { loadBaseline, writeBaseline, applyBaseline } from "./lib/baseline.mjs"; import { analyze, remediate } from "./lib/intelligence.mjs"; import { TOOLS, summarize, resolveStatus, applyPathStripping, renderHtml, buildSarif } from "./lib/report.mjs"; import { SCORE_VERSION, computeScore, computeToolScores } from "./lib/score.mjs"; const __dirname = path.dirname(fileURLToPath(import.meta.url)); const pkg = JSON.parse( fs.readFileSync(path.join(__dirname, "package.json"), "utf-8") ); /* ──────────────────────────────────────────────────────────────────────────── CLI FLAGS ──────────────────────────────────────────────────────────────────────────── */ const argv = process.argv.slice(2); if (argv.includes("--version") || argv.includes("-v")) { console.log(pkg.version); process.exit(0); } if (argv.includes("--help") || argv.includes("-h")) { console.log(` ╔═══════╗ █████ █████ █████ █████ █████ █████ █████ ║ ╔═══╗ ║ █ █ █ █ █ █ █ █ ║ ║ ⊙ ║ ║ █████ ████ █ █ ███ █████ █ ████ ║ ╚═══╝ ║ █ █ █ █ █ █ █ █ █ ╠═══════╣ █████ █████ █████ ██
