v0.3.3policy-scout2026-06-11
Supply Chain Detection Depth
Multi-layer lifecycle script analysis wired non-fatally into the sandbox flow — JS static analysis, Python AST visitor, dependency confusion detection, transitive npm tree scan, and publish anomaly signals.
v0.3.32026-06-11
- ·JS analyzer: comment stripping, base64 decode-and-recurse (depth 3), 8 attack-family patterns, minification flag
- ·Escalation rules: 5 combinators upgrade to critical when dangerous patterns co-fire (e.g. CI-conditional + network_fetch, encoded_payload + eval)
- ·Python AST visitor: flags dangerous imports, eval/exec/compile, shell calls, network calls, sensitive path writes, credential env var access; text fallback on SyntaxError
- ·Dependency confusion: internal-keyword signals, unknown private-looking scopes, generic name + private registry configured
- ·Transitive npm tree walk: npm list --json + intel adapter enrichment, dedup via seen-set
- ·Publish anomaly checker: new package age, new publisher, low version count — opt-in network call