dependency-watch-dog-runtime

v2.0.0

Published

7 months ago

Continuous supply-chain security runtime monitor for Node.js dependencies with auto-remediation, multi-source vulnerability intelligence, SBOM publishing, and microservices support.

0High
0Medium
0Low

ectron

security supply-chain nodejs vulnerability monitoring sbom osv snyk microservices auto-remediation integrity cyclonedx

Dependency WatchDog Runtime 🐕

A continuous supply-chain security runtime monitor for Node.js dependencies. WatchDog actively monitors your node_modules for vulnerabilities and integrity violations, alerting you in real-time when threats are detected.

Features

Core Security

Continuous Vulnerability Scanning: Runs npm audit at configurable intervals to detect known security vulnerabilities
Integrity Monitoring: Creates SHA-256 hash baselines of all files in node_modules and detects unauthorized modifications
Automatic Revert: Automatically reverts to known-safe baseline when integrity violations are detected
Multi-Channel Alerts: Sends notifications via Slack, Discord, or Telegram when threats are detected

Advanced Intelligence

OSV Integration: Query the Open Source Vulnerabilities database for comprehensive threat intelligence
Snyk Integration: Leverage Snyk's advanced vulnerability database for enterprise-grade security
Multi-Source Correlation: Combines npm audit, OSV, and Snyk data for maximum coverage

Enterprise Features

SBOM Publishing: Automatically generates and publishes CycloneDX Software Bill of Materials to artifact stores
Agent Mode: Monitor multiple microservices from a single WatchDog instance
Incremental Hashing: CPU-light scanning using cached hashes for unchanged files (10-100x faster)

Performance

Zero Configuration: Works out of the box with sensible defaults
Lightweight: Minimal dependencies and resource footprint
Smart Caching: Only rehashes modified files for optimal performance

Installation

npm install dependency-watch-dog-runtime

yarn add dependency-watch-dog-runtime

What's New in v2.0

| Feature | Description | Benefit | |---------|-------------|---------| | 🔄 Auto-Revert | Automatically reverts compromised dependencies | Zero-touch incident response | | 🔍 OSV + Snyk | Multi-source vulnerability intelligence | 3x more vulnerability coverage | | 📦 SBOM Publishing | CycloneDX format SBOM generation | Compliance & supply-chain transparency | | 🏢 Agent Mode | Monitor multiple microservices | Centralized security for distributed systems | | ⚡ Incremental Hashing | Cache-based scanning | 10-100x faster scans |

Quick Start

import { DependencyWatchDog } from 'dependency-watch-dog-runtime';

// Start monitoring with default settings (60-second intervals)
new DependencyWatchDog();

Configuration

Basic Configuration

import { DependencyWatchDog } from 'dependency-watch-dog-runtime';

new DependencyWatchDog({
  intervalMs: 300000, // Scan every 5 minutes (default: 60000)
  
  // Slack notifications
  slackWebhook: 'https://hooks.slack.com/services/YOUR/WEBHOOK/URL',
  
  // Discord notifications
  discordWebhook: 'https://discord.com/api/webhooks/YOUR/WEBHOOK',
  
  // Telegram notifications
  telegramBotToken: 'YOUR_BOT_TOKEN',
  telegramChatId: 'YOUR_CHAT_ID'
});

Advanced Configuration

new DependencyWatchDog({
  intervalMs: 300000,
  
  // Automatic remediation
  autoRevert: true, // Auto-revert to safe baseline on integrity violations
  
  // Enhanced vulnerability intelligence
  osvApiKey: process.env.OSV_API_KEY,
  snykApiKey: process.env.SNYK_API_KEY,
  
  // SBOM publishing
  sbomArtifactStore: 'https://artifacts.company.com/sbom',
  
  // Performance optimization
  incrementalHashing: true, // Use cached hashes for faster scans
  
  // Agent mode for microservices
  agentMode: true,
  microservices: [
    { name: 'auth-service', path: '../auth-service' },
    { name: 'api-gateway', path: '../api-gateway' },
    { name: 'payment-service', path: '../payment-service' }
  ],
  
  // Notifications
  slackWebhook: process.env.SLACK_WEBHOOK
});

Configuration Options

| Option | Type | Default | Description | |--------|------|---------|-------------| | intervalMs | number | 60000 | Scan interval in milliseconds | | autoRevert | boolean | false | Automatically revert to safe baseline on threats | | osvApiKey | string | undefined | OSV API key for vulnerability intelligence | | snykApiKey | string | undefined | Snyk API token for advanced scanning | | sbomArtifactStore | string | undefined | Artifact store URL for SBOM publishing | | incrementalHashing | boolean | false | Enable CPU-light incremental hashing | | agentMode | boolean | false | Enable multi-microservice monitoring | | microservices | array | undefined | List of microservices to monitor | | slackWebhook | string | undefined | Slack webhook URL for alerts | | discordWebhook | string | undefined | Discord webhook URL for alerts | | telegramBotToken | string | undefined | Telegram bot token for alerts | | telegramChatId | string | undefined | Telegram chat ID for alerts |

How It Works

1. Baseline Creation

On initialization, WatchDog creates a baseline.hash.json file containing SHA-256 hashes of every file in your node_modules directory.

2. Continuous Monitoring

At the configured interval, WatchDog performs two checks:

Vulnerability Scan: Runs npm audit to detect known security vulnerabilities in your dependencies
Integrity Check: Compares current node_modules hashes against the baseline to detect unauthorized modifications

3. Alert Notifications

When threats are detected, WatchDog sends alerts to your configured notification channels with details about:

Number of vulnerabilities found
Severity levels
Modified files (integrity violations)

Use Cases

Production Runtime Monitoring with Auto-Remediation

Deploy WatchDog in your production environment with automatic threat response:

// server.js
import { DependencyWatchDog } from 'dependency-watch-dog-runtime';
import express from 'express';

// Start security monitoring with auto-revert
new DependencyWatchDog({
  intervalMs: 600000, // Check every 10 minutes
  autoRevert: true, // Automatically revert compromised dependencies
  incrementalHashing: true, // Fast scanning
  osvApiKey: process.env.OSV_API_KEY,
  snykApiKey: process.env.SNYK_API_KEY,
  slackWebhook: process.env.SLACK_WEBHOOK
});

// Start your application
const app = express();
// ... rest of your app

Microservices Architecture Monitoring

Monitor all your microservices from a central WatchDog agent:

new DependencyWatchDog({
  agentMode: true,
  intervalMs: 300000,
  microservices: [
    { name: 'user-service', path: '/services/user-service' },
    { name: 'order-service', path: '/services/order-service' },
    { name: 'inventory-service', path: '/services/inventory-service' },
    { name: 'notification-service', path: '/services/notification-service' }
  ],
  incrementalHashing: true,
  autoRevert: true,
  slackWebhook: process.env.SLACK_WEBHOOK
});

CI/CD Integration with SBOM Publishing

Use WatchDog in your deployment pipeline with SBOM generation:

import { scanDependencies } from 'dependency-watch-dog-runtime/dist/core/scanner';
import { publishSBOM } from 'dependency-watch-dog-runtime/dist/services/sbomService';

const result = await scanDependencies({
  osvApiKey: process.env.OSV_API_KEY,
  snykApiKey: process.env.SNYK_API_KEY
});

if (!result.healthy) {
  console.error('Security threats detected!');
  console.error('Vulnerabilities:', result.vulnerabilities);
  console.error('Integrity issues:', result.baselineMismatches);
  process.exit(1);
}

// Publish SBOM to artifact store
await publishSBOM('https://artifacts.company.com/sbom');

Development Environment

Monitor dependencies during development with fast incremental scanning:

new DependencyWatchDog({
  intervalMs: 30000, // Check every 30 seconds
  incrementalHashing: true, // Fast scans during development
  discordWebhook: process.env.DISCORD_WEBHOOK
});

Alert Format

When threats are detected, you'll receive alerts in this format:

*Dependency WatchDog Alert*
Status: Threat Detected!

Vulnerabilities: 3
Integrity mismatches: 1

Performance Benchmarks

Incremental hashing provides dramatic performance improvements for large projects:

| Project Size | Standard Hashing | Incremental Hashing | Improvement | |--------------|------------------|---------------------|-------------| | 100 packages | 0.8s | 0.1s | 8x faster | | 500 packages | 4.2s | 0.3s | 14x faster | | 1000 packages | 9.1s | 0.5s | 18x faster | | 2000 packages | 19.3s | 0.8s | 24x faster |

Benchmarks on typical Node.js projects with mixed file sizes. Incremental mode assumes 95% cache hit rate (typical for production).

Security Considerations

Baseline File: The baseline.hash.json file should be committed to version control and treated as a security artifact
Update Baseline: After legitimate dependency updates, regenerate the baseline using the updateBaseline() function
Webhook Security: Store webhook URLs and tokens in environment variables, never commit them to source control
Scan Interval: Balance between detection speed and resource usage based on your threat model
Auto-Revert: Test auto-revert in staging before enabling in production
API Keys: Secure OSV and Snyk API keys using secrets management
Agent Mode: Ensure microservice paths don't expose sensitive directories

API Reference

DependencyWatchDog

Main class for starting the monitoring service.

new DependencyWatchDog(config?: WatchDogConfig)

scanDependencies()

Performs a one-time scan and returns results.

import { scanDependencies } from 'dependency-watch-dog-runtime/dist/core/scanner';

const result = await scanDependencies({
  osvApiKey: 'your-key',
  snykApiKey: 'your-key'
});
// Returns: ScanResult

updateBaseline()

Regenerates the hash baseline for node_modules.

import { updateBaseline } from 'dependency-watch-dog-runtime/dist/core/hashBaseline';

updateBaseline(true); // Pass true for incremental hashing

revertToBaseline()

Manually revert to the known-safe baseline.

import { revertToBaseline } from 'dependency-watch-dog-runtime/dist/services/revertService';

const success = await revertToBaseline();

publishSBOM()

Generate and publish SBOM to artifact store.

import { publishSBOM } from 'dependency-watch-dog-runtime/dist/services/sbomService';

await publishSBOM('https://artifacts.company.com/sbom');

generateSBOM()

Generate SBOM without publishing.

import { generateSBOM } from 'dependency-watch-dog-runtime/dist/services/sbomService';

const sbom = generateSBOM();
// Returns CycloneDX format SBOM

Types

interface WatchDogConfig {
  intervalMs?: number;
  autoRevert?: boolean;
  osvApiKey?: string;
  snykApiKey?: string;
  sbomArtifactStore?: string;
  agentMode?: boolean;
  microservices?: MicroserviceConfig[];
  incrementalHashing?: boolean;
  slackWebhook?: string;
  discordWebhook?: string;
  telegramBotToken?: string;
  telegramChatId?: string;
}

interface MicroserviceConfig {
  name: string;
  path: string;
}

interface ScanResult {
  timestamp: string;
  vulnerabilities: Vulnerability[];
  baselineMismatches: string[];
  healthy: boolean;
}

interface Vulnerability {
  name: string;
  severity: string;
  via: string[];
}

Advanced Features

Automatic Revert to Safe Baseline

When autoRevert is enabled, WatchDog automatically reverts to the known-safe baseline when integrity violations are detected:

Creates a backup of current node_modules
Removes compromised dependencies
Reinstalls from package-lock.json using npm ci
Restores backup if revert fails

new DependencyWatchDog({
  autoRevert: true,
  slackWebhook: process.env.SLACK_WEBHOOK
});

Multi-Source Vulnerability Intelligence

Combine multiple vulnerability databases for comprehensive coverage:

npm audit: Built-in Node.js vulnerability database
OSV: Google's Open Source Vulnerabilities database (40+ ecosystems)
Snyk: Enterprise-grade vulnerability intelligence with exploit maturity data

new DependencyWatchDog({
  osvApiKey: process.env.OSV_API_KEY,
  snykApiKey: process.env.SNYK_API_KEY
});

SBOM Publishing

Automatically generate and publish CycloneDX-format Software Bill of Materials:

new DependencyWatchDog({
  sbomArtifactStore: 'https://artifacts.company.com/sbom'
});

SBOM includes:

All dependencies with versions
SHA-256 hashes for integrity verification
Timestamp and metadata
CycloneDX 1.4 format compliance

Agent Mode for Microservices

Monitor multiple microservices from a single WatchDog instance:

new DependencyWatchDog({
  agentMode: true,
  microservices: [
    { name: 'service-a', path: '../service-a' },
    { name: 'service-b', path: '../service-b' }
  ]
});

Each service is scanned independently with separate alerts.

Incremental Hashing for Performance

Enable incremental hashing to reduce CPU usage by 90%+:

new DependencyWatchDog({
  incrementalHashing: true
});

How it works:

Caches file hashes with metadata (mtime, size)
Only rehashes files that have changed
Dramatically faster for large node_modules (1000+ packages)
Cache stored in .hash-cache.json

Troubleshooting

Baseline Missing Error

If you see "Baseline missing" in alerts, the baseline.hash.json file wasn't created. Ensure WatchDog has write permissions in the project root.

False Positives After Updates

After updating dependencies with npm install or yarn add, regenerate the baseline:

import { updateBaseline } from 'dependency-watch-dog-runtime/dist/core/hashBaseline';
updateBaseline(true); // Use incremental mode if enabled

Auto-Revert Failed

If automatic revert fails:

Check that package-lock.json exists and is up-to-date
Ensure sufficient disk space for backup
Verify npm is installed and accessible
Check logs for specific error messages

No Alerts Received

Verify webhook URLs are correct
Check network connectivity to notification services
Review application logs for error messages
Test webhooks manually with curl

Slow Scans

Enable incremental hashing for 10-100x faster scans:

new DependencyWatchDog({
  incrementalHashing: true
});

Agent Mode Path Issues

Ensure microservice paths are:

Absolute paths or relative to the agent's working directory
Accessible with proper permissions
Valid Node.js projects with package.json

Contributing

Contributions are welcome! Please feel free to submit issues or pull requests.

License

MIT