NodeShield CBOM policy generation and validation workflow

nodeshield-cbom-generator.sh

#!/bin/bash
# NodeShield CBOM Generation Workflow
# Automates SBOM → CBOM conversion with manual review prompts
#
# Dependencies:
#   - Syft (SBOM generator): https://github.com/anchore/syft
#   - NodeShield CLI: npm install -g @nodeshield/cli
#
# Usage:
#   ./generate-cbom.sh /path/to/nodejs/project

set -euo pipefail

# Configuration
PROJECT_DIR="${1:-.}"
SBOM_FILE="sbom.json"
CBOM_FILE="cbom.yaml"
REVIEW_NEEDED="cbom-review-needed.txt"

echo "NodeShield CBOM Generation Workflow"
echo "===================================="
echo "Project: ${PROJECT_DIR}"
echo ""

# Step 1: Generate SBOM with Syft
echo "[1/4] Generating SBOM with Syft..."

if ! command -v syft &> /dev/null; then
    echo "ERROR: Syft not installed. Install with:"
    echo "  curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh"
    exit 1
fi

cd "${PROJECT_DIR}"
syft scan dir:. -o cyclonedx-json > "${SBOM_FILE}"

COMPONENT_COUNT=$(jq '.components | length' "${SBOM_FILE}")
echo "  ✓ Generated SBOM with ${COMPONENT_COUNT} components"

# Step 2: Auto-generate CBOM policies
echo ""
echo "[2/4] Auto-generating CBOM policies with Static Outliner..."

if ! command -v nodeshield &> /dev/null; then
    echo "ERROR: NodeShield CLI not installed. Install with:"
    echo "  npm install -g @nodeshield/cli"
    exit 1
fi

nodeshield outline \
  --sbom "${SBOM_FILE}" \
  --output "${CBOM_FILE}" \
  --risk-threshold MEDIUM

POLICY_COUNT=$(grep -c '^module:' "${CBOM_FILE}" || true)
echo "  ✓ Generated ${POLICY_COUNT} CBOM policies"

# Step 3: Flag high-risk modules for manual review
echo ""
echo "[3/4] Flagging high-risk modules for manual review..."

# Extract modules with dangerous capabilities
grep -B2 -A5 'inferred_risk: HIGH\|inferred_risk: CRITICAL' "${CBOM_FILE}" > "${REVIEW_NEEDED}" || true
grep -B2 -A5 'network.egress\|process.exec\|filesystem.write' "${CBOM_FILE}" >> "${REVIEW_NEEDED}" || true

REVIEW_COUNT=$(grep -c '^module:' "${REVIEW_NEEDED}" || true)

if [ "${REVIEW_COUNT}" -gt 0 ]; then
    echo "  ⚠️  ${REVIEW_COUNT} modules require manual review:"
    echo ""
    grep '^module:' "${REVIEW_NEEDED}" | sed 's/module: /    - /'
    echo ""
    echo "  Review file saved: ${REVIEW_NEEDED}"
else
    echo "  ✓ No high-risk modules detected"
    rm -f "${REVIEW_NEEDED}"
fi

# Step 4: Provide review guidance
echo ""
echo "[4/4] Manual Review Guidance"
echo "----------------------------"
echo ""
echo "High-risk capabilities to verify:"
echo ""
echo "  network.egress:*        - Outbound network connections (C2 communication)"
echo "  process.exec            - Command execution (reverse shells, miners)"
echo "  filesystem.write:*      - File writes (backdoor installation)"
echo "  filesystem.read:/etc    - System file access (credential theft)"
echo "  crypto.sign             - Code signing (malware persistence)"
echo ""
echo "Recommended policy tightening:"
echo ""
echo "  1. Change 'network.egress:*' to specific domains:"
echo "     capabilities:"
echo "       - network.egress:api.example.com  # Allow only known APIs"
echo ""
echo "  2. Add explicit denies for dangerous capabilities:"
echo "     capabilities:"
echo "       - NO:process.exec                # Block all command execution"
echo ""
echo "  3. Scope filesystem access to minimum required:"
echo "     capabilities:"
echo "       - filesystem.read:/app/config   # Narrow from filesystem.read:*"
echo ""
echo "Next steps:"
echo "  1. Review ${REVIEW_NEEDED} and update ${CBOM_FILE} manually"
echo "  2. Test with NodeShield in audit mode: CBOM_ENFORCE=false"
echo "  3. Run attack simulations: node attack-simulation.js --run-all"
echo "  4. Enable enforcement: CBOM_ENFORCE=true"
echo ""
echo "CBOM generation complete!"