feat: implement multi-layered supply chain attack defense (#617)

kamiazya · claude · web-flow · commit eabb9955a23f · 2025-12-06T17:34:53.000+09:00
* feat: implement multi-layered supply chain attack defense Implement comprehensive protection against npm supply chain attacks (such as Shai-Hulud 2.0) using a three-layer defense strategy. Layer 1: New Package Release Delay - Add minimumReleaseAge (48 hours) to pnpm-workspace.yaml - Blocks installation of recently published packages - Provides time buffer for community to detect malicious updates Layer 2: Install Script Prevention - Configure ignore-scripts=true in .npmrc - Prevents execution of preinstall/postinstall scripts - Includes whitelist support via onlyBuiltDependencies (currently unused) Layer 3: Continuous Vulnerability Scanning - Add OSV-Scanner workflow for dependency scanning - Integrate security scan into CI/CD pipeline - Fail builds on detected vulnerabilities Documentation: - Add comprehensive supply chain protection section to SECURITY.md - Document configuration, trade-offs, and compromise detection - Include references to defense resources 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: pin OSV-Scanner action to specific commit SHA Pin google/osv-scanner-action to v2.3.0 (b77c075) instead of using floating ref @main for improved security and reproducibility. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: correct pnpm whitelist configuration key Change onlyBuiltDependencies to only-built-dependencies (kebab-case) to match pnpm's actual configuration format. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: correct typo in malicious repo search example Change "Sha1-Hulud" to "Shai-Hulud" to match the actual attack name. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: add inline comment clarifying minimumReleaseAge unit 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: add changeset for supply chain defense 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.changeset/supply-chain-defense.md b/.changeset/supply-chain-defense.md
@@ -0,0 +1,15 @@
+---
+"web-csv-toolbox": patch
+---
+
+## Supply Chain Attack Defense
+
+Added multi-layered protection against npm supply chain attacks (such as Shai-Hulud 2.0).
+
+### Defense Layers
+
+1. **New Package Release Delay**: Blocks packages published within 48 hours via `minimumReleaseAge` setting
+2. **Install Script Prevention**: Disables preinstall/postinstall scripts via `ignore-scripts=true`
+3. **Continuous Vulnerability Scanning**: Integrates OSV-Scanner into CI/CD pipeline
+
+These changes only affect the development environment and CI/CD configuration. No changes to library code.
diff --git a/.github/workflows/.security-scan.yaml b/.github/workflows/.security-scan.yaml
@@ -0,0 +1,43 @@
+name: Security Scan
+
+on:
+  workflow_call:
+
+jobs:
+  osv-scanner:
+    name: Scan dependencies for vulnerabilities
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Run OSV-Scanner
+        uses: google/osv-scanner-action/osv-scanner-action@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.3.0
+        with:
+          scan-args: |-
+            --lockfile=pnpm-lock.yaml
+            --format=json
+            --output=osv-results.json
+        continue-on-error: true
+
+      - name: Upload OSV-Scanner results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: osv-results.json
+        continue-on-error: true
+
+      - name: Check for vulnerabilities
+        run: |
+          if [ -f osv-results.json ]; then
+            echo "OSV-Scanner results:"
+            cat osv-results.json
+            # Fail the job if vulnerabilities are found
+            if grep -q '"vulns"' osv-results.json; then
+              echo "⚠️ Vulnerabilities detected in dependencies"
+              exit 1
+            fi
+          fi
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -13,6 +13,13 @@ permissions: read-all
 
 jobs:
 
+  security_scan:
+    name: Security Scan
+    uses: ./.github/workflows/.security-scan.yaml
+    permissions:
+      contents: read
+      security-events: write
+
   static_tests:
     name: Static Tests
     uses: ./.github/workflows/.static-tests.yaml
@@ -26,6 +33,7 @@ jobs:
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     needs:
+      - security_scan
       - static_tests
 
   dynamic_tests:
@@ -62,6 +70,7 @@ jobs:
       id-token: write
       pages: write
     needs:
+      - security_scan
       - static_tests
       - build
       - dynamic_tests
diff --git a/.npmrc b/.npmrc
@@ -1 +1,11 @@
 ignore-workspace-root-check=true
+
+# Prevent execution of install scripts to mitigate malicious code execution
+# This blocks preinstall/postinstall scripts from all packages
+ignore-scripts=true
+
+# Whitelist specific packages that require build scripts
+# Add packages here that legitimately need to run scripts (e.g., native modules)
+# Currently this project builds WASM from source, which doesn't require npm scripts
+# If you need to allow scripts for specific packages, use:
+# only-built-dependencies[]=package-name
diff --git a/SECURITY.md b/SECURITY.md
@@ -24,6 +24,78 @@ If you discover a security vulnerability in web-csv-toolbox, please report it pr
 
 We provide security updates for the latest minor version only.
 
+## Supply Chain Attack Protection
+
+This project implements a multi-layered defense approach to protect against npm supply chain attacks (such as Shai-Hulud 2.0 and similar threats).
+
+### Defense Layers
+
+#### Layer 1: New Package Release Delay
+
+**Configuration:** `pnpm-workspace.yaml`
+
+```yaml
+minimumReleaseAge: 2880  # 48 hours
+```
+
+Blocks installation of packages published within 48 hours. This time buffer allows the community to detect and report malicious package updates before they reach our dependencies.
+
+**Trade-offs:**
+- ✅ Prevents zero-day supply chain attacks
+- ⚠️ Delays access to legitimate bug fixes and security patches
+
+**When to adjust:** If you need to install a newly published package immediately, temporarily comment out this setting, then re-enable it after installation.
+
+#### Layer 2: Install Script Prevention
+
+**Configuration:** `.npmrc`
+
+```
+ignore-scripts=true
+```
+
+Prevents execution of `preinstall`, `postinstall`, and `install` scripts from all packages. Even if a compromised package is installed, its malicious code cannot execute during installation.
+
+**Whitelist for native modules (if needed):**
+```
+only-built-dependencies[]=package-name
+```
+
+**Current status:** This project requires no install scripts. WASM builds use `wasm-pack` which runs manually via `pnpm build:wasm`.
+
+#### Layer 3: Continuous Vulnerability Scanning
+
+**Configuration:** `.github/workflows/.security-scan.yaml`
+
+Uses Google's OSV-Scanner to continuously scan dependencies for known vulnerabilities, aggregating data from multiple sources (GitHub Advisory Database, NVD, etc.).
+
+The CI pipeline fails if vulnerabilities are detected, preventing vulnerable code from being merged or deployed.
+
+### Checking for Compromise
+
+If you suspect your local environment may be compromised by supply chain attacks, check for these indicators:
+
+**1. Search for malicious GitHub repositories:**
+```bash
+gh search repos "Shai-Hulud: The Second Coming"
+```
+
+**2. Check for malicious workflow files:**
+```bash
+find . -name "discussion.yaml" -path "*/.github/workflows/*"
+```
+
+**3. Search for known payload files:**
+```bash
+find . -name "setup_bun.js" -o -name "bun_environment.js" -o -name "cloud.json"
+```
+
+### Additional Resources
+
+- [npm Supply Chain Attack Defense Guide](https://zenn.dev/hand_dot/articles/04542a91bc432e) (Japanese)
+- [OSV-Scanner Documentation](https://google.github.io/osv-scanner/)
+- [pnpm Security Features](https://pnpm.io/feature-comparison#security-features)
+
 ## Secure Usage Guidelines
 
 ⚠️ **Critical for Production Applications**
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -4,6 +4,10 @@ packages:
   - examples/*
   - '!examples/deno'
 
+# Supply chain attack mitigation: Block packages published within 48 hours
+# This provides a time buffer to detect malicious package updates before they are installed
+minimumReleaseAge: 2880 # 48 hours in minutes
+
 catalogs:
   default:
     # Build Tools
