// npm package
@stelnyx/secgate
Tiny security gate for CI/CD — orchestrates Semgrep, Gitleaks, osv-scanner, Trivy, and npm audit with a premium HTML report.
versions
4
maintainers
1
license
MIT
first publish
2026-05-19
publisher
doceno
tarball
124,379 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-19
// publisher campaignby doceno
3 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 2 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @0.2.13· 3 files flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @0.2.13··AUTO-PUBLISHED·publisher: docenoheuristic 65/100static flags 5llm benign (0.85) via ollamanew-publisher:1dknown-actor-target:teampcp:telnyxpublisher-multi-name-burst:2invokes-secret-scannerpublic-github-pushreads-env-varspy-pip-install-runtimechild-process-spawn
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 3 files flaggedpatterns: 5
--- package/.secgate.config.example.json (excerpt) --- { "_comment": "SecGate config — drop into the root of any repo as .secgate.config.json. All fields optional; defaults shown below.", "failOn": ["critical", "high"], "_failOn": "Severities that cause exit 1. Lowercase. Common: ['critical','high'] (default), ['critical','high','medium'] (stricter), or ['critical'] (only block on the worst).", "profile": "curated", "_profile": "Confidence profile applied during HTML report rendering. 'curated' (default) demotes known-noisy rules (HTML SRI on inline scripts, base-image OS CVEs at LOW/MEDIUM, CVEs >5 years old, UNKNOWN severity) to an Informational details block. 'strict' shows everything inline. Findings are never dropped — only re-classified.", "scanners": { "semgrep": true, "gitleaks": true, "npm": true, "osv": true, "trivy": true }, "_scanners": "Toggle individual scanners. Useful for muting npm audit on Yarn/pnpm-only repos, or muting Semgrep when you have a separate SAST.", "ignore": [ "trivy-image:node:20-slim:CVE-2011-3374" ], "_ignore": "Drop findings entirely. Match against the finding signature (exact or glob, e.g. 'trivy-image:*:CVE-2011-*'). Prefer 'profile: curated' or '# secgate:ignore' inline comments over this — ignore is a sledgehammer.", "severityOverrides": [ { "rule": "html.security.audit.missing-integrity", "severity": "low" } ], "_severityOverrides": "Re-classify findings by signature pattern. Use sparingly — better to address the roo --- package/package.json (excerpt) --- { "name": "@stelnyx/secgate", "version": "0.2.13", "description": "Tiny security gate for CI/CD — orchestrates Semgrep, Gitleaks, osv-scanner, Trivy, and npm audit with a premium HTML report.", "type": "module", "bin": { "secgate": "secgate.js" }, "main": "secgate.js", "engines": { "node": ">=18" }, "files": [ "secgate.js", "lib/", "README.md", "LICENSE", "SECURITY.md", ".secgate.config.example.json" ], "keywords": [ "security", "sast", "secrets", "sca", "iac", "ci", "cd", "gate", "semgrep", "gitleaks", "trivy", "osv-scanner", "npm-audit", "devsecops" ], "author": "Stelnyx", "license": "MIT", "repository": { "type": "git", "url": "git+https://github.com/Stelnyx/SecGate.git" }, "bugs": { "url": "https://github.com/Stelnyx/SecGate/issues" }, "homepage": "https://github.com/Stelnyx/SecGate#readme", "publishConfig": { "access": "public", "provenance": true }, "scripts": { "test": "node test/engine.mjs && node test/score.mjs && SECGATE_INTERNAL_TEST=1 node test/smoke.mjs && node test/schema.mjs && node test/sarif.mjs && node test/trivy-image.mjs && node test/no-lockfile.mjs && node test/config.mjs && node test/baseline.mjs && node test/suppression.mjs && node test/confidence.mjs && node test/timeout.mjs && node test/determinism.mjs && node test/golden-secgate.mjs", "test:smoke": "SECGATE_INTERNAL_TEST=1 node test/smoke.mj --- package/secgate.js (excerpt) --- #!/usr/bin/env node import fs from "fs"; import path from "path"; import { fileURLToPath } from "url"; import { loadConfig } from "./lib/config.mjs"; import { makeFindingProcessor } from "./lib/scanners.mjs"; import { runGitleaks, runSemgrep, runOsvScanner, runTrivy, runTrivyImage, runNpmAudit } from "./lib/scanners.mjs"; import { loadBaseline, writeBaseline, applyBaseline } from "./lib/baseline.mjs"; import { analyze, remediate } from "./lib/intelligence.mjs"; import { TOOLS, summarize, resolveStatus, applyPathStripping, renderHtml, buildSarif } from "./lib/report.mjs"; import { SCORE_VERSION, computeScore, computeToolScores } from "./lib/score.mjs"; const __dirname = path.dirname(fileURLToPath(import.meta.url)); const pkg = JSON.parse( fs.readFileSync(path.join(__dirname, "package.json"), "utf-8") ); /* ──────────────────────────────────────────────────────────────────────────── CLI FLAGS ──────────────────────────────────────────────────────────────────────────── */ const argv = process.argv.slice(2); if (argv.includes("--version") || argv.includes("-v")) { console.log(pkg.version); process.exit(0); } if (argv.includes("--help") || argv.includes("-h")) { console.log(` ╔═══════╗ █████ █████ █████ █████ █████ █████ █████ ║ ╔═══╗ ║ █ █ █ █ █ █ █ █ ║ ║ ⊙ ║ ║ █████ ████ █ █ ███ █████ █ ████ ║ ╚═══╝ ║ █ █ █ █ █ █ █ █ █ ╠═══════╣ █████ █████ █████ ██
