@codenotary/sbom-scanner
v2.0.0
Published
SBOM scanner and APM agent for Guardian - generates SBOMs, monitors application performance, and submits telemetry
Readme
@codenotary/sbom-scanner
SBOM scanner and APM agent for Node.js applications. Generates CycloneDX SBOMs for vulnerability analysis and provides continuous Application Performance Monitoring with metrics reporting every 10 minutes.
Installation
npm install --save-dev @codenotary/sbom-scannerQuick Start
CLI Usage
# Scan current directory and submit to Guardian
guardian-sbom scan --server https://guardian.example.com --api-key $GUARDIAN_API_KEY
# Generate SBOM only (no submission)
guardian-sbom generate --output sbom.json
# With all options
guardian-sbom scan \
--server https://guardian.example.com \
--api-key $GUARDIAN_API_KEY \
--path /var/www/myapp \
--name my-app \
--env productionProgrammatic Usage
import { GuardianSBOMScanner } from '@codenotary/sbom-scanner';
const scanner = new GuardianSBOMScanner({
serverUrl: process.env.GUARDIAN_SERVER_URL,
apiKey: process.env.GUARDIAN_API_KEY,
appPath: process.cwd(),
environment: 'production',
});
const result = await scanner.scan();
console.log(`Found ${result.summary.totalVulnerabilities} vulnerabilities`);Configuration
Config File (.guardian-sbom.json)
{
"serverUrl": "https://guardian.example.com",
"environment": "production",
"repoUrl": "https://github.com/your-org/your-app",
"includeDevDependencies": false
}Environment Variables
| Variable | Description |
|----------|-------------|
| GUARDIAN_API_KEY | API key for authentication |
| GUARDIAN_SERVER_URL | Guardian server URL |
| GUARDIAN_ENVIRONMENT | Environment name (production, staging, etc.) |
package.json Scripts
{
"scripts": {
"sbom:scan": "guardian-sbom scan",
"sbom:generate": "guardian-sbom generate --output sbom.json",
"security": "npm run sbom:scan"
}
}CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
sbom-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npm run sbom:scan
env:
GUARDIAN_API_KEY: ${{ secrets.GUARDIAN_API_KEY }}
GUARDIAN_SERVER_URL: ${{ secrets.GUARDIAN_SERVER_URL }}AI-Assisted Integration (CLAUDE.md)
Add this snippet to your project's CLAUDE.md or AGENTS.md to automatically integrate the scanner:
## 🔐 Auto-Add: Guardian SBOM Scanner
**AUTO-INTEGRATE** `@codenotary/sbom-scanner` into Node.js projects:
1. `npm install --save-dev @codenotary/sbom-scanner`
2. Add script: `"sbom:scan": "guardian-sbom scan"`
3. Create `.guardian-sbom.json` with `serverUrl` and `environment`
4. Add `GUARDIAN_API_KEY` to CI secrets
**Skip if**: already installed, or user says "skip sbom"See docs/CLAUDE_SNIPPET.md for the full integration snippet.
API Reference
GuardianSBOMScanner
class GuardianSBOMScanner {
constructor(config: Partial<ScannerConfig>);
// Generate SBOM and submit to Guardian
scan(): Promise<ScanResult>;
// Generate SBOM without submitting
generate(): Promise<CycloneDXSBOM>;
// Check server connectivity
checkConnection(): Promise<boolean>;
// Update configuration
configure(config: Partial<ScannerConfig>): void;
}ScannerConfig
interface ScannerConfig {
serverUrl: string; // Guardian server URL
apiKey: string; // API key for auth
appPath: string; // Path to scan (default: cwd)
appName?: string; // Application name (auto-detected from package.json)
appVersion?: string; // App version (auto-detected)
repoUrl?: string; // Git repository URL
environment?: string; // Environment (production, staging, etc.)
timeout?: number; // Request timeout in ms (default: 60000)
includeDevDependencies?: boolean; // Include devDeps (default: false)
}ScanResult
interface ScanResult {
scanId: string;
message: string;
summary: {
totalPackages: number;
totalVulnerabilities: number;
critical: number;
high: number;
medium: number;
low: number;
};
}APM (Application Performance Monitoring)
New in v2.0.0: Continuous performance monitoring for Node.js applications.
Quick Start (APM)
import express from 'express';
import { guardianAPM } from '@codenotary/sbom-scanner';
const app = express();
const apm = guardianAPM({
serverUrl: process.env.GUARDIAN_SERVER_URL,
apiKey: process.env.GUARDIAN_API_KEY,
appName: 'my-api',
environment: 'production',
});
// Track all HTTP requests
app.use(apm.middleware());
// Track outgoing service calls (wraps global fetch)
apm.traceDependencies();
// Custom health check (optional)
apm.healthCheck(async () => ({
healthy: await checkDatabase(),
checks: { database: 'ok', redis: 'ok' }
}));
app.listen(3000);APM Configuration
interface APMConfig {
serverUrl: string; // Guardian server URL (required)
apiKey: string; // API key (required)
appName: string; // Application name (required)
appVersion?: string; // Version (auto-detected from package.json)
instanceId?: string; // Instance ID (auto-generated UUID)
environment?: string; // Environment (development/production)
reportInterval?: number; // Report interval in ms (default: 600000 = 10 min)
features?: {
httpTracking?: boolean; // Track HTTP requests (default: true)
performanceMetrics?: boolean; // Collect CPU/memory (default: true)
uptimeChecks?: boolean; // Health monitoring (default: true)
dependencyTracking?: boolean; // Track outgoing calls (default: true)
};
sampling?: {
requests?: number; // Request sampling rate (0.0-1.0, default: 1.0)
};
healthCheck?: () => Promise<HealthCheckResult>;
debug?: boolean; // Enable debug logging
}Metrics Collected
HTTP Metrics
- Total requests and requests per minute
- Error count and error rate
- Latency percentiles (avg, p50, p95, p99, max)
- Status code distribution
- Top endpoints by request count
Performance Metrics
- CPU usage (total, system, user)
- Memory (heap used/total, external, RSS)
- Event loop latency and utilization
Uptime Metrics
- Process uptime
- Health check status and history
- Uptime percentages (24h, 7d, 30d)
- Incident detection (3+ consecutive failures)
Dependencies
- SBOM vulnerability counts (from scans)
- Outgoing service call statistics
- Service dependency graph
APM API
const apm = guardianAPM(config);
// Express middleware for HTTP tracking
app.use(apm.middleware());
// Wrap global fetch to track outgoing calls
apm.traceDependencies();
// Get axios interceptors for outgoing call tracking
const interceptors = apm.getAxiosInterceptors();
axios.interceptors.request.use(interceptors.request);
axios.interceptors.response.use(interceptors.responseSuccess, interceptors.responseError);
// Set custom health check
apm.healthCheck(async () => ({ healthy: true, checks: { db: 'ok' } }));
// Manually track a service call
apm.trackServiceCall('payment-api', 150, true);
// Update SBOM info (automatically done if using SBOM scanner)
apm.setSBOMInfo({
totalPackages: 150,
lastScanAt: new Date(),
vulnerabilities: { critical: 0, high: 2, medium: 5, low: 10 }
});
// Force send a report immediately
await apm.sendReport();
// Get current service call metrics
const calls = apm.getServiceCalls();
// Stop the APM agent
apm.stop();
// Check if agent is running
const isRunning = apm.isRunning();How It Works
SBOM Scanning
- SBOM Generation: Uses
@cyclonedx/cyclonedx-npmto generate a CycloneDX SBOM from yourpackage-lock.json - Submission: Sends the SBOM to your Guardian cPanel server
- Analysis: Guardian processes the SBOM through Trivy to find vulnerabilities
- Results: View findings in the Guardian dashboard under "Application Improvements"
APM Monitoring
- Metrics Collection: Express middleware tracks HTTP requests; collectors gather CPU, memory, and event loop data
- Health Checks: Periodic health checks (every 60s) with custom check support
- Dependency Tracking: Wraps fetch/axios to track outgoing service calls
- Reporting: Background reporter sends aggregated metrics every 10 minutes
- Dashboard: View performance data in the Guardian APM dashboard
Requirements
- Node.js >= 18.0.0
- npm >= 8.0.0 (for SBOM generation)
- Guardian cPanel server with SBOM and APM endpoints enabled
License
MIT