DEV Community

Cover image for How I built forgeseal to solve JS/TS supply chain security in one command
Shantanu Sharma
Shantanu Sharma

Posted on

How I built forgeseal to solve JS/TS supply chain security in one command

#javascript #go #opensource #security

The Problem

The EU Cyber Resilience Act hits enforcement in September 2026, and it requires SBOMs (Software Bills of Materials) for every software product. If you ship to Europe, this isn't optional.
For JavaScript and TypeScript teams, the supply chain security toolchain is fragmented. You need separate tools for SBOM generation, artifact signing, provenance attestations, and vulnerability management. Each has its own configuration, its own assumptions about your setup, and most of them struggle with the variety of JS/TS lockfile formats (npm v2/v3, yarn classic, yarn berry v2/v3/v4, pnpm v6/v9, bun text and binary).

So I built forgeseal, one tool that does all of it.

What forgeseal Does

forgeseal is a single Go binary that handles the entire supply chain security workflow:

forgeseal pipeline --dir ./my-project --output-dir ./artifacts --vex-triage
Enter fullscreen mode Exit fullscreen mode

That one command:

  1. Detects and parses your lockfile (supports all six JS/TS formats)
  2. Generates a CycloneDX SBOM with proper PURLs, integrity hashes, and dependency graphs
  3. Signs the SBOM with Sigstore keyless signing (no GPG keys to manage)
  4. Creates a SLSA v1 provenance attestation with CI environment metadata
  5. Queries OSV.dev and generates a VEX document with vulnerability triage stubs

Getting Started 

# Install
go install github.com/sn45/forgeseal/cmd/forgeseal@latest

# Generate an SBOM
forgeseal sbom --dir ./my-project

# Full pipeline
forgeseal pipeline --dir . --output-dir ./forgeseal-output --vex-triage
Enter fullscreen mode Exit fullscreen mode

Each command is also available standalone. Need just the SBOM?
Use forgeseal sbom
Just signing? forgeseal sign
Just VEX triage? forgeseal vex triage

The Lockfile Parser Challenge

The most interesting engineering challenge was parsing all six lockfile formats correctly. Each one has quirks:

  • npm has v2 and v3 schemas with different key structures in package-lock.json
  • Yarn Classic uses a custom text format that requires a state machine parser
  • Yarn Berry looks like YAML but has its own conventions for resolution and checksums
  • pnpm v9 splits data across packages and snapshots maps that need cross referencing
  • Bun uses JSONC (JSON with comments) where base64 hashes can contain // sequences that look like comment markers

I validated forgeseal against 10 major open source projects: socket.io, jest, storybook, vue, astro, nuxt, svelte, next.js, elysia, and hono. That's 15,000+ components across all six formats. PURLs, dependency edges, and integrity hashes all matched the source lockfiles.

CI Integration

forgeseal ships as a GitHub Action:

- uses: sn45/forgeseal@v1
  with:
    command: pipeline
    dir: '.'
    sign: 'true'
    attest: 'true'
    vex-triage: 'true'
Enter fullscreen mode Exit fullscreen mode

In GitHub Actions, the OIDC token for Sigstore signing is obtained automatically. Just set permissions: id-token: write on your workflow.

marketing poster tall

What's Next

The core pipeline is solid. On the roadmap: container image SBOM support, Grype/Trivy integration for richer vulnerability data, and a forgeseal audit command that evaluates your project's supply chain security posture against CRA requirements.

Repo: github.com/sns45/forgeseal

Apache 2.0 licensed. Contributions welcome.

Top comments (0)