Skip to content

feat: npm audit signatures --json --include-attestations to output sigstore attestation bundles #9048

New issue
New issue
Open
#9049
Open
feat: npm audit signatures --json --include-attestations to output sigstore attestation bundles#9048
#9049
@mitchdenny

Description

@mitchdenny
mitchdenny
opened on Mar 3, 2026

Summary

npm audit signatures currently verifies sigstore attestation bundles but only reports pass/fail counts. There is no way to extract the actual attestation bundles for downstream consumption.

This is a blocker for scenarios like:

  • Policy engines that need to inspect provenance predicates before allowing deployment
  • SBOM generation that wants to embed attestation evidence
  • Custom verification pipelines that need the raw bundles for additional checks beyond what npm performs
  • Audit logging where organizations need to record the cryptographic evidence alongside the verification result

Proposal

Add a --include-attestations flag that, when combined with --json, includes the verified sigstore attestation bundles in the JSON output:

npm audit signatures --json --include-attestations

Output includes a new verified array:

{
  "invalid": [],
  "missing": [],
  "verified": [
    {
      "name": "sigstore",
      "version": "0.4.0",
      "attestations": {
        "url": "https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0",
        "provenance": { "predicateType": "https://slsa.dev/provenance/v0.2" },
        "bundles": [
          {
            "predicateType": "https://slsa.dev/provenance/v0.2",
            "bundle": { "mediaType": "...", "verificationMaterial": {}, "dsseEnvelope": {} }
          }
        ]
      }
    }
  ]
}

The predicateType field serves as the association key between dist.attestations.provenance metadata and the full bundles, making lookup straightforward and forward-compatible if new attestation types are introduced.

Implementation

This requires a coordinated change across two repos:

  1. pacote (feat: expose fetched attestation bundles on manifest pacote#457): Preserve fetched attestation bundles on mani._attestations.bundles instead of discarding them after verification. This is a one-line change.
  2. npm CLI (draft PR to follow): Add --include-attestations config flag, collect verified attestation data, and include it in JSON output.

The flag is opt-in and has no effect without --json, so there is no change to existing behavior.

cc @feelepxyz — as the author of the attestation verification in both pacote and npm CLI, your input on this approach would be very valuable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions