From 0e13385f2bf0f9c8c66798351b0892705cf41f20 Mon Sep 17 00:00:00 2001
From: PierreDemailly <pierredemailly.pro@gmail.com>
Date: Sat, 28 Mar 2026 02:57:48 +0100
Subject: [PATCH] fix(scanner): add attestations on first dependency enrichment

---
 .changeset/fiery-ideas-peel.md                |  5 +++++
 .../src/registry/NpmRegistryProvider.ts       |  3 ++-
 .../scanner/test/NpmRegistryProvider.spec.ts  | 22 +++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/fiery-ideas-peel.md

diff --git a/.changeset/fiery-ideas-peel.md b/.changeset/fiery-ideas-peel.md
new file mode 100644
index 00000000..b3dba5a3
--- /dev/null
+++ b/.changeset/fiery-ideas-peel.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": patch
+---
+
+Add attestations on first dependency enrichment
diff --git a/workspaces/scanner/src/registry/NpmRegistryProvider.ts b/workspaces/scanner/src/registry/NpmRegistryProvider.ts
index aa503164..89a550b5 100644
--- a/workspaces/scanner/src/registry/NpmRegistryProvider.ts
+++ b/workspaces/scanner/src/registry/NpmRegistryProvider.ts
@@ -123,7 +123,8 @@ export class NpmRegistryProvider {
       flags: Object.keys(flags).filter((key) => flags[key]),
       version: {
         links: getLinks(packumentVersion),
-        deprecated: packumentVersion.deprecated
+        deprecated: packumentVersion.deprecated,
+        attestations: packumentVersion.dist.attestations
       }
     };
   }
diff --git a/workspaces/scanner/test/NpmRegistryProvider.spec.ts b/workspaces/scanner/test/NpmRegistryProvider.spec.ts
index 22c31f9f..7270097f 100644
--- a/workspaces/scanner/test/NpmRegistryProvider.spec.ts
+++ b/workspaces/scanner/test/NpmRegistryProvider.spec.ts
@@ -758,6 +758,28 @@ describe("NpmRegistryProvider", () => {
       });
     });
 
+    test("should enrich dependency with attestations for a package with provenance", async() => {
+      const dependency = {
+        metadata: {},
+        versions: {
+          "3.1.0": {
+            flags: []
+          }
+        }
+      } as unknown as Dependency;
+      const logger = new Logger().start("registry");
+      const provider = new NpmRegistryProvider("@nodesecure/cli", "3.1.0");
+
+      await provider.enrichDependency(logger, dependency);
+
+      assert.deepEqual(dependency.versions["3.1.0"]!.attestations, {
+        url: "https://registry.npmjs.org/-/npm/v1/attestations/@nodesecure%2fcli@3.1.0",
+        provenance: {
+          predicateType: "https://slsa.dev/provenance/v1"
+        }
+      });
+    });
+
     test("should detect and flag deprecated package versions", async() => {
       const dependency = {
         metadata: {},