How I built forgeseal to solve JS/TS supply chain security in one command

Source: Dev.to

The Problem

The EU Cyber Resilience Act takes effect in September 2026 and requires a Software Bill of Materials (SBOM) for every software product shipped to Europe. For JavaScript and TypeScript teams the supply‑chain security toolchain is fragmented: separate tools are needed for SBOM generation, artifact signing, provenance attestations, and vulnerability management. Each tool has its own configuration and assumptions, and many struggle with the variety of lockfile formats (npm v2/v3, Yarn classic, Yarn Berry v2‑v4, pnpm v6/v9, Bun).

What forgeseal Does

forgeseal is a single Go binary that handles the entire supply‑chain security workflow:

forgeseal pipeline --dir ./my-project --output-dir ./artifacts --vex-triage

That one command:

• Detects and parses your lockfile (supports all six JS/TS formats)
• Generates a CycloneDX SBOM with proper PURLs, integrity hashes, and dependency graphs
• Signs the SBOM with Sigstore key‑less signing (no GPG keys)
• Creates a SLSA v1 provenance attestation with CI environment metadata
• Queries OSV.dev and generates a VEX document with vulnerability‑triage stubs

Getting Started

# Install
go install github.com/sn45/forgeseal/cmd/forgeseal@latest

# Generate an SBOM
forgeseal sbom --dir ./my-project

# Full pipeline
forgeseal pipeline --dir . --output-dir ./forgeseal-output --vex-triage

Each sub‑command can be used independently:

• SBOM only: forgeseal sbom
• Signing only: forgeseal sign
• VEX triage only: forgeseal vex triage

The Lockfile Parser Challenge

Parsing all six lockfile formats correctly was the most interesting engineering challenge. Highlights:

• npm – handles both v2 and v3 schemas with differing key structures in package-lock.json.
• Yarn Classic – parses a custom text format using a state‑machine parser.
• Yarn Berry – interprets YAML‑like files with its own conventions for resolutions and checksums.
• pnpm v9 – cross‑references data split across packages and snapshots maps.
• Bun – processes JSONC (JSON with comments) where base64 hashes may contain // sequences that look like comment markers.

Validation was performed against 10 major open‑source projects (socket.io, jest, storybook, vue, astro, nuxt, svelte, next.js, elysia, hono), covering 15 000+ components across all formats. PURLs, dependency edges, and integrity hashes all matched the source lockfiles.

CI Integration

forgeseal is available as a GitHub Action:

- uses: sn45/forgeseal@v1
  with:
    command: pipeline
    dir: '.'
    sign: 'true'
    attest: 'true'
    vex-triage: 'true'

In GitHub Actions the OIDC token for Sigstore signing is obtained automatically; just set permissions: id-token: write in your workflow.

What’s Next

The core pipeline is solid. Planned enhancements include:

• Container‑image SBOM support
• Integration with Grype/Trivy for richer vulnerability data
• A forgeseal audit command to evaluate a project’s supply‑chain security posture against CRA requirements

Repository:
Apache 2.0 licensed. Contributions welcome.