@itentialopensource/adapter-zscaler_zpa
This adapter integrates with ZScaler ZPA API
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:preinstall | AI (install-scripts): Standard Itential adapter preinstall pattern; runs node utils/setup.js, consistent across all versions of this package family. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Fires on path.join(__dirname, 'adapterBase.js') — a static path join, not truly dynamic/arbitrary module loading. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): execSync/spawnSync used in adapter base for connectivity/healthcheck tooling; consistent with documented adapter functionality. | ai | |
| phantom-deps | phantom-dep:ping | AI (phantom-deps): ping is a declared runtime dependency used in config/connectivity scripts; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:prompts | AI (phantom-deps): prompts used in interactive setup utilities; referenced in config files as expected. | ai | |
| phantom-deps | phantom-dep:mocha-param | AI (phantom-deps): mocha-param used in test scripts; referenced in config files, not directly imported in main code. | ai |
v2.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
2 findingsScript: node utils/setup.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
2 findingsScript: node utils/setup.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.