feat: implement npx vril doctor with 20-point security audit and SBOM generation#11
feat: implement npx vril doctor with 20-point security audit and SBOM generation#11Copilot wants to merge 7 commits into
npx vril doctor with 20-point security audit and SBOM generation#11Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
- Fix package name from 'vril-js' to '@vrillabs/vril-js' in all
README.md install commands and import examples
- Replace non-existent 'vril build --secure' with 'vril build' on
landing page (CLI has no --secure flag)
- Remove aspirational terminal output ('Security audit: 20/20 checks
passed', 'SBOM generated: sbom.cyclonedx.json') that is not
produced by the actual CLI
- Replace with accurate output ('Security headers active')
- Remove non-existent 'npx vril doctor' command from docs page
- Fix 'npm install vril-js' to 'npm install @vrillabs/vril-js' in
docs page
…OM generation Adds the `doctor` CLI command that: - Runs a 20-point build-time security audit against the project's vril.config.ts (headers, CSP, Trusted Types, CSRF, SRI, etc.) - Generates a CycloneDX 1.5 SBOM at sbom.cyclonedx.json from package.json dependencies - Prints colored pass/fail output for each check Closes #12
npx vril doctor with 20-point security audit and SBOM generation
|
…-started-docs # Conflicts: # src/app/docs/page.tsx
Resolved the merge conflict with latest |
There was a problem hiding this comment.
Pull request overview
This PR adds a vril doctor CLI command for security auditing and SBOM generation, plus small site/docs alignment for current CLI usage.
Changes:
- Adds a 20-check doctor audit command and CycloneDX SBOM writer.
- Registers
doctorin the CLI command dispatcher. - Updates landing page command examples and ignores generated SBOM output.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/lib/vril/framework/cli.mjs |
Implements doctor, audit checks, SBOM generation, and command routing. |
src/app/page.tsx |
Updates social link and CLI output examples. |
.gitignore |
Ignores generated sbom.cyclonedx.json. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const components = Object.entries(allDeps).map(([name, version]) => ({ | ||
| type: 'library', | ||
| name, | ||
| version: String(version).replace(/^[\^~>=<]*/g, ''), | ||
| purl: `pkg:npm/${name.startsWith('@') ? name.replaceAll('/', '%2F') : name}@${String(version).replace(/^[\^~>=<]*/g, '')}`, | ||
| scope: pkg.dependencies?.[name] ? 'required' : 'optional', | ||
| })); |
| const tsconfigPath = resolve(root, 'tsconfig.json'); | ||
| let tsStrict = false; | ||
| try { | ||
| const tsconfig = JSON.parse(await readFile(tsconfigPath, 'utf8')); |
| // 2. X-Content-Type-Options | ||
| checks.push({ | ||
| name: 'X-Content-Type-Options: nosniff', | ||
| pass: !!(vrilConfig?.security?.headers?.xContentTypeOptions || securityHeaders['X-Content-Type-Options']), |
…om-ref and purl encoding
Implements the previously aspirational
npx vril doctorcommand as real, functional CLI functionality.Changes
vril.config.tsand validates: security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, COOP, COEP, CSP, Permissions-Policy), CSP directives (no unsafe-inline/eval, frame-ancestors, upgrade-insecure-requests), runtime protections (Trusted Types, API membrane, CSRF, SRI), and project hygiene (lockfile, no .env, TS strict, X-Powered-By disabled)sbom.cyclonedx.jsonfrompackage.jsondependencies with proper purl identifiers and scope classification.gitignore— Addedsbom.cyclonedx.jsonas generated artifact