@datadog/datadog-ci-plugin-sbom

Datadog CI plugin for `sbom` commands

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

datadog

Keywords

datadogdatadog-ciplugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): DataDog org publishes via GitHub Actions CI/CD; SLSA attestation confirms legitimate automated publishing pipeline.	ai	2026/05/17
source-diff	net-exec-file:dist/bundle.js	AI (source-diff): bundle.js is a rolldown-bundled artifact from the official DataDog repo; network calls are part of the CI plugin's documented functionality.	ai	2026/05/17
source-diff	source-size-tripled	AI (source-diff): Size increase explained by bundling previously external runtime deps (axios, ajv, etc.) into dist/bundle.js.	ai	2026/05/17
dependencies	unvetted-dep:packageurl-js	AI (dependencies): packageurl-js is a standard PURL parsing library; benign and appropriate for an SBOM plugin.	ai	2026/05/17

Versions (showing 18 of 18)

Version	Deps	Published
5.15.0	0 / 8	2026-04-27
5.14.0	0 / 8	2026-04-24
5.13.1	0 / 8	2026-04-15
5.13.0	0 / 8	2026-04-13
5.12.1	5 / 3	2026-04-07
5.12.0	5 / 3	2026-04-06
5.11.0	5 / 3	2026-03-31
5.10.0	5 / 3	2026-03-25
5.9.1	7 / 1	2026-03-12
5.9.0	7 / 1	2026-03-03
5.8.0	7 / 1	2026-02-17
5.7.0	7 / 1	2026-02-10
5.6.0	7 / 1	2026-02-03
5.5.0	7 / 1	2026-01-30
5.4.0	7 / 1	2026-01-21
5.3.0	7 / 1	2026-01-20
4.1.1	7 / 1	2025-11-03
4.1.0	7 / 1	2025-10-30

v5.15.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.14.0

3 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-04-24) provenance

This version was published by a different npm account than previous versions on 2026-04-24. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.13.1

3 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-04-15) provenance

This version was published by a different npm account than previous versions on 2026-04-15. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.13.0

3 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-04-13) provenance

This version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.12.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.11.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.10.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-25) provenance

This version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.9.1

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-12) provenance

This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.9.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-03) provenance

This version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.8.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-17) provenance

This version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.7.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-10) provenance

This version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.6.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-03) provenance

This version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.5.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-01-30) provenance

This version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.4.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-01-21) provenance

This version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-01-20) provenance

This version was published by a different npm account than previous versions on 2026-01-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.