Security Scanner API

[benjavicente]

Overview: an API for security scanners could improve the DX protecting chain attacks
The idea comes from Bun's Security Scanner API.

---

An advantage around developer experience that pnpm has is that it can automatically install its own version, the correct node version, and missing dependencies that are on the package lock but not in node_modules. With that, developers can work with the versions specified statically without manually running additional commands, whitch is useful specially on large monorepos when those update/install commands aren't expected to be used frequently.

But with working with security scanners at development workstations, tools have opted to use wrappers (for example, veracode's phylum and socket.dev's firewall), where developers have to manually add an alias to the package manager.

Recently, Bun added a security canner option that automatically runs the provided scanner on add and install commands, without the need of the developer to configure that, since it's detected and installed by Bun. I think an option like that on pnpm fits with the DX features I mentioned.

The .pnpmfile.cjs might allow “some scanning”, but a tailored API like Bun might be more attractive to security platforms. Currently, the Socket scanner is the only one using that API in Bun.