# `NPM.Security.Provenance`
[🔗](https://github.com/elixir-volt/npm_ex/blob/v0.7.4/lib/npm/security/provenance.ex#L1)

Supply chain provenance checking for npm packages.

Validates SLSA provenance attestations, checks build source
transparency, and identifies packages published from CI.

# `format_summary`

```elixir
@spec format_summary(map()) :: String.t()
```

Formats the risk summary for display.

# `has_integrity?`

```elixir
@spec has_integrity?(map()) :: boolean()
```

Validates that a package has integrity hash.

# `has_provenance?`

```elixir
@spec has_provenance?(map()) :: boolean()
```

Checks if a package entry has provenance information.

# `risk_summary`

```elixir
@spec risk_summary(map()) :: map()
```

Returns a supply chain risk summary for the lockfile.

# `scan`

```elixir
@spec scan(map()) :: %{with_provenance: [String.t()], without: [String.t()]}
```

Scans a lockfile for packages with/without provenance.

# `trusted_registry?`

```elixir
@spec trusted_registry?(String.t()) :: boolean()
```

Checks if a package's registry is trusted.

---

*Consult [api-reference.md](api-reference.md) for complete listing*