feat: add rule to catch npx usage in JS/TS/YAML

Author: NicholasEllul

packages/semgrep-action/rules/src/generic/npx-usage/npx-usage-js.yml

@@ -0,0 +1,43 @@
+rules:
+  - id: npx-usage-js
+    languages:
+      - javascript
+      - typescript
+    severity: WARNING
+    metadata:
+      tags: [security]
+      shortDescription: "npx usage introduces supply chain security risks"
+      confidence: HIGH
+      help: |
+        Using npx to install and run packages introduces significant supply chain security risks for the following reasons:
+
+        1. **Unpinned by default**: Running `npx <package>` fetches the latest release outside of your lockfile. If a malicious version of a package is published ([example])(https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack), `npx` will install and execute it the next time it is run.
+
+        2. **Bypasses lockfile guarantees**: Packages executed with npx are not added to your project's package.json or lockfile. As a result, their versions and lockfile integrity hashes are not captured for reproducibility, making builds non-deterministic and harder to audit
+
+        ### Recommended practice
+        - Add packages as dependencies or devDependencies in `package.json`.
+        - Use your package manager to install and execute them (e.g., `yarn add <package> [--dev]` followed by `yarn <package> <command>`).
+
+        **Bad example (using npx):**
+        ```javascript
+        const cmd = `npx jest --coverage`;
+        execSync(cmd);
+        ```
+
+        **Good example (proper dependency):**
+        ```javascript
+        // Add jest as a dependency /devDependency in package.json
+        const cmd = `yarn jest --coverage`;
+        execSync(cmd);
+        ```
+
+    message: >-
+      Avoid using 'npx' to run packages due to supply chain security risks. Instead, install the package
+      as a dependency / devDependency and invoke it using your package manager to ensure version pinning
+      and reproducibility.
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-regex:
+          metavariable: $STRING
+          regex: '.*\bnpx\s'

packages/semgrep-action/rules/src/generic/npx-usage/npx-usage-json.yml

@@ -5,7 +5,7 @@ rules:
     severity: WARNING
     metadata:
       tags: [security]
-      shortDescription: 'npx usage introduces supply chain security risks'
+      shortDescription: "npx usage introduces supply chain security risks"
       confidence: HIGH
       help: |
         Using npx to install and run packages introduces significant supply chain security risks for the following reasons:
@@ -17,7 +17,7 @@ rules:
         ### Recommended practice
         - Add packages as dependencies or devDependencies in `package.json`.  
         - Use your package manager to install and execute them (e.g., `yarn add <package> --dev` followed by `yarn <package> <command>`).
-
+        
         **Bad example (using npx):**
         ```json
         {
@@ -26,7 +26,7 @@ rules:
           }
         }
         ```
-
+        
         **Good example (proper dependency):**
         ```json
         {
@@ -38,9 +38,9 @@ rules:
           }
         }
         ```
-
+        
     message: >-
       Avoid using 'npx' to run packages due to supply chain security risks. Instead, install the package 
       as a dependency / devDependency and invoke it using your package manager to ensure version pinning 
       and reproducibility.
-    pattern-regex: '"[^"]*":\s*"(\s*npx\s|npx\s)[^"]*"'
+    pattern-regex: '"[^"]*":\s*"(\s*npx\s|npx\s)[^"]*"'

packages/semgrep-action/rules/src/generic/npx-usage/npx-usage-shell.yml

@@ -6,7 +6,7 @@ rules:
     severity: WARNING
     metadata:
       tags: [security]
-      shortDescription: 'npx usage introduces supply chain security risks'
+      shortDescription: "npx usage introduces supply chain security risks"
       confidence: HIGH
       help: |
         Using npx to install and run packages introduces significant supply chain security risks for the following reasons:
@@ -18,8 +18,8 @@ rules:
 
         ### Recommended practice
         - Add packages as dependencies or devDependencies in `package.json`.  
-        - Use your package manager to install and execute them (e.g., `yarn add <package> --dev` followed by `yarn <package> <command>`).
-
+        - Use your package manager to install and execute them (e.g., `yarn add <package> --dev` followed by `yarn <package> <command>`).  
+        
     message: >-
       Avoid using 'npx' to run packages due to supply chain security risks. Instead, install the package 
       as a dependency / devDependency and invoke it using your package manager to ensure version pinning 

packages/semgrep-action/rules/src/generic/npx-usage/npx-usage-yml.yml

@@ -0,0 +1,43 @@
+rules:
+  - id: npx-usage-yml
+    languages:
+      - yaml
+    severity: WARNING
+    metadata:
+      tags: [security]
+      shortDescription: "npx usage introduces supply chain security risks"
+      confidence: HIGH
+      help: |
+        Using npx to install and run packages introduces significant supply chain security risks for the following reasons:
+
+        1. **Unpinned by default**: Running `npx <package>` fetches the latest release outside of your lockfile. If a malicious version of a package is published ([example])(https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack), `npx` will install and execute it the next time it is run.
+
+        2. **Bypasses lockfile guarantees**: Packages executed with npx are not added to your project's package.json or lockfile. As a result, their versions and lockfile integrity hashes are not captured for reproducibility, making builds non-deterministic and harder to audit
+
+        ### Recommended practice
+        - Add packages as dependencies or devDependencies in `package.json`.
+        - Use your package manager to install and execute them (e.g., `yarn add <package> --dev` followed by `yarn <package> <command>`).
+
+        **Bad example (using npx):**
+        ```yaml
+        - name: Run tests
+          run: npx jest --coverage
+        ```
+
+        **Good example (proper dependency):**
+        ```yaml
+        - name: Run tests
+          run: yarn jest --coverage
+        ```
+
+    message: >-
+      Avoid using 'npx' to run packages due to supply chain security risks. Instead, install the package
+      as a dependency / devDependency and invoke it using your package manager to ensure version pinning
+      and reproducibility.
+    patterns:
+      - pattern: |
+          run: $CMD
+      - metavariable-pattern:
+          metavariable: $CMD
+          language: sh
+          pattern: npx ...

packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-js.test.js

@@ -0,0 +1,108 @@
+const { execSync, exec, spawn, spawnSync } = require('child_process');
+
+// Test cases that should be flagged
+
+// Template literal with interpolation (like coverage-analysis.js:234)
+function runTests() {
+  const testArgs = 'test/*.js';
+  // ruleid: npx-usage-js
+  const cmd = `npx jest ${testArgs} --coverage --coverageReporters=lcov`;
+  execSync(cmd);
+}
+
+// Template literal passed directly to exec
+function lintCode() {
+  // ruleid: npx-usage-js
+  execSync(`npx eslint src/`);
+}
+
+// String literal in error message (like global.setup.ts:72)
+// Now caught with regex - flags npx usage anywhere in strings including docs/examples
+function throwError() {
+  throw new Error(
+    // ruleid: npx-usage-js
+    'Please specify a project name with --project flag. Example: npx playwright test --project dummy-test-local'
+  );
+}
+
+// String literal with scoped package
+function formatCode() {
+  // ruleid: npx-usage-js
+  const command = "npx @typescript-eslint/parser --version";
+  exec(command);
+}
+
+// Template literal with output redirection
+function generateFingerprint() {
+  // ruleid: npx-usage-js
+  exec(`npx @expo/fingerprint ./ > fingerprint.json`);
+}
+
+// Template literal with flags
+function setupTool() {
+  // ruleid: npx-usage-js
+  const setupCmd = `npx --yes create-react-app my-app`;
+  execSync(setupCmd);
+}
+
+// Template literal with environment variables
+function runWithEnv() {
+  const workspace = process.env.GITHUB_WORKSPACE;
+  // ruleid: npx-usage-js
+  spawn(`npx jest ${workspace} --coverage`);
+}
+
+// Template literal in command chain
+function buildAndTest() {
+  // ruleid: npx-usage-js
+  execSync(`yarn build && npx jest --coverage`);
+}
+
+// String literal assigned to variable
+function assignCommand() {
+  // ruleid: npx-usage-js
+  let cmd = "npx prettier --write .";
+  return cmd;
+}
+
+// Test cases that should NOT be flagged
+
+// Using yarn instead
+function goodYarnUsage() {
+  // ok: npx-usage-js
+  execSync(`yarn jest --coverage`);
+}
+
+// Using npm scripts
+function goodNpmUsage() {
+  // ok: npx-usage-js
+  execSync('npm run test');
+}
+
+// Using yarn dlx
+function goodYarnDlx() {
+  // ok: npx-usage-js
+  const cmd = `yarn dlx create-react-app my-app`;
+  execSync(cmd);
+}
+
+// Direct node execution
+function goodNodeUsage() {
+  // ok: npx-usage-js
+  exec('node scripts/build.js');
+}
+
+// Comment mentioning npx - should be ignored automatically
+// This comment talks about npx but isn't code execution
+function withComment() {
+  // ok: npx-usage-js
+  execSync('yarn test');
+}
+
+// Variable name contains "npx" but not executing it
+function variableName() {
+  // ok: npx-usage-js
+  const shouldUseNpx = false;
+  const npxWarning = "Dont use npx!";
+  console.log(npxWarning);
+}

packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-js.test.ts

@@ -0,0 +1,65 @@
+import { execSync, exec, spawn } from 'child_process';
+
+// Test cases that should be flagged in TypeScript
+
+// Template literal with type annotation (like global.setup.ts scenario)
+function runPlaywrightTests(): void {
+  const project: string = 'test-project';
+  // ruleid: npx-usage-js
+  const command: string = `npx playwright test --project ${project}`;
+  execSync(command);
+}
+
+// Error message with npx example
+function throwConfigError(): never {
+  throw new Error(
+    // ruleid: npx-usage-js
+    'Please specify a project name with --project flag. Example: npx playwright test --project dummy-test-local'
+  );
+}
+
+// Arrow function with template literal
+const buildApp = (): void => {
+  // ruleid: npx-usage-js
+  execSync(`npx tsc --build`);
+};
+
+// Async function
+async function deployApp(): Promise<void> {
+  // ruleid: npx-usage-js
+  await exec(`npx vercel deploy`);
+}
+
+// String literal with type assertion
+function formatFiles(): void {
+  // ruleid: npx-usage-js
+  const cmd = "npx prettier --write ." as const;
+  execSync(cmd);
+}
+
+// Template literal in class method
+class TestRunner {
+  runTests(): void {
+    const coverage: boolean = true;
+    // ruleid: npx-usage-js
+    execSync(`npx jest ${coverage ? '--coverage' : ''}`);
+  }
+}
+
+// Good examples that should NOT be flagged
+
+function useYarnProperly(): void {
+  // ok: npx-usage-js
+  execSync('yarn test --coverage');
+}
+
+function useNpmScript(): void {
+  // ok: npx-usage-js
+  exec('npm run build');
+}
+
+function useYarnDlx(): void {
+  // ok: npx-usage-js
+  const cmd: string = `yarn dlx create-next-app my-app`;
+  execSync(cmd);
+}