Add per-VM whitelist to suppress known-safe findings

2026-04-17 23:07:38 +01:00
parent dc299e4262
commit 101fe444b1
3 changed files with 27 additions and 4 deletions
--- a/npm-security-check.sh
+++ b/npm-security-check.sh
@@ -18,6 +18,11 @@ send_telegram() {
 HOSTNAME=$(hostname)
 DATE=$(date)
 LOGFILE="${1:-npm_security_check_${HOSTNAME}_$(date +%Y%m%d_%H%M%S).log}"
+WHITELIST="$SCRIPT_DIR/whitelist.conf"
+
+is_whitelisted() {
+    [[ -f "$WHITELIST" ]] && grep -qF "$1" "$WHITELIST" 2>/dev/null
+}

 RED='\033[0;31m'
 YELLOW='\033[1;33m'
@@ -85,6 +90,10 @@ else
    COUNT=$(echo "$LOCKFILES" | wc -l)
    log "Scanning $COUNT lock file(s)..."
    for pkg in "${BAD_PKGS[@]}"; do
+        if is_whitelisted "$pkg"; then
+            ok "$pkg is whitelisted — skipping"
+            continue
+        fi
        MATCHES=$(echo "$LOCKFILES" | xargs grep -l "\"$pkg\"" 2>/dev/null || true)
        if [[ -n "$MATCHES" ]]; then
            fail "Found '$pkg' in: $MATCHES"
@@ -206,12 +215,14 @@ for dir in /tmp /dev/shm /var/tmp; do
    EXEC_FILES=$(find "$dir" -type f -executable 2>/dev/null | head -20 || true)
    JS_FILES=$(find "$dir" -name "*.js" -o -name "*.mjs" 2>/dev/null | head -10 || true)
    if [[ -n "$EXEC_FILES" ]]; then
-        warn "Executable files in $dir:"
-        log "$EXEC_FILES"
+        while IFS= read -r f; do
+            is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "Executable file in $dir: $f"; }
+        done <<< "$EXEC_FILES"
    fi
    if [[ -n "$JS_FILES" ]]; then
-        warn "JS files in $dir:"
-        log "$JS_FILES"
+        while IFS= read -r f; do
+            is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "JS file in $dir: $f"; }
+        done <<< "$JS_FILES"
    fi
 done
 ok "Temp directory scan complete"