@datadog/datadog-ci-plugin-sarif Apache-2.0 21 versions

@datadog/datadog-ci-plugin-sarif

npm Repository Homepage

Datadog CI plugin for `sarif` commands

21

Versions

Apache-2.0

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

datadog

Keywords

datadogdatadog-ciplugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/bundle.js	AI (source-diff): Official Datadog CI plugin; bundle.js is a rolldown-generated bundle with SLSA provenance, not malware.	ai	2026/05/11
source-diff	source-size-tripled	AI (source-diff): Size increase explained by bundling previously external runtime deps into dist/bundle.js.	ai	2026/05/11
provenance	publisher-changed	AI (provenance): Datadog publishes via GitHub Actions CI/CD with SLSA attestation; this is the expected publisher for this package.	ai	2026/05/08
phantom-deps	phantom-dep:simple-git	AI (phantom-deps): simple-git is a declared runtime dependency; phantom-dep heuristic false positive for this package.	ai	2026/05/08
source-diff	encoded-string-file:dist/bundle.js	AI (source-diff): Encoded string is the llhttp WASM binary bundled from undici; stable false positive for this package.	ai	2026/05/08

Versions (showing 21 of 21)

Version	Deps	Published
5.17.0	0 / 9	2026-05-19
5.16.1	0 / 9	2026-05-06
5.16.0	0 / 10	2026-05-01
5.15.0	0 / 10	2026-04-27
5.14.0	0 / 10	2026-04-24
5.13.1	0 / 10	2026-04-15
5.13.0	0 / 10	2026-04-13
5.12.1	6 / 4	2026-04-07
5.12.0	6 / 4	2026-04-06
5.11.0	6 / 4	2026-03-31
5.10.0	6 / 4	2026-03-25
5.9.1	8 / 2	2026-03-12
5.9.0	8 / 2	2026-03-03
5.8.0	8 / 2	2026-02-17
5.7.0	8 / 2	2026-02-10
5.6.0	8 / 2	2026-02-03
5.5.0	8 / 2	2026-01-30
5.4.0	8 / 2	2026-01-21
5.3.0	8 / 2	2026-01-20
4.1.1	8 / 2	2025-11-03
4.1.0	8 / 2	2025-10-30

v5.17.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.16.1

2 findings

HIGH Long encoded string in modified file: dist/bundle.js source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.16.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.15.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.14.0

2 findings

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.13.1

2 findings

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.13.0

2 findings

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.12.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.11.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.10.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-25) provenance

This version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.9.1

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-12) provenance

This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.9.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-03) provenance

This version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.8.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-17) provenance

This version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.7.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-10) provenance

This version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.6.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-03) provenance

This version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.5.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-01-30) provenance

This version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.4.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-01-21) provenance

This version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-01-20) provenance

This version was published by a different npm account than previous versions on 2026-01-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.