Skip to content

Add remote import security validation hook #5

New issue
New issue
Open
Open
Add remote import security validation hook#5
Labels
enhancementNew feature or request
@drernie

Description

@drernie
drernie
opened on Dec 14, 2025

Summary

Add deno-import-check built-in hook to validate and enforce policies for remote imports, helping teams secure their Deno supply chain.

Motivation

Deno's remote imports are powerful but create security risks:

  • Imports from untrusted sources
  • No visibility into import origins
  • Supply chain attack vectors
  • No policy enforcement

This is a Deno-specific problem that Node.js doesn't have, making it a perfect differentiator.

Proposed Solution

hooks:
  pre-commit:
    - id: import-policy
      run: deno-import-check
      glob: "**/*.ts"
      config:
        allowedHosts:
          - "deno.land"
          - "jsr.io"
          - "esm.sh"
        blockList:
          - "unpkg.com"  # Known security issues
        requireLockfile: true
        checkForSecrets: true  # Detect secrets in import URLs

Implementation

Built-in hook that:

  1. Scans staged .ts files for import statements
  2. Extracts remote import URLs
  3. Validates against allowed/blocked hosts
  4. Checks if deno.lock is updated
  5. Scans for suspicious patterns (secrets in URLs, etc.)
async function denoImportCheck(ctx: HookContext): Promise<HookResult> {
  const { files, rootDir, config } = ctx;
  const violations: string[] = [];
  
  for (const file of files) {
    const content = await Deno.readTextFile(`${rootDir}/${file}`);
    const imports = extractRemoteImports(content);
    
    for (const importUrl of imports) {
      const host = new URL(importUrl).hostname;
      
      // Check blocklist
      if (config.blockList?.includes(host)) {
        violations.push(`${file}: Blocked host ${host}`);
      }
      
      // Check allowlist (if specified)
      if (config.allowedHosts && !config.allowedHosts.includes(host)) {
        violations.push(`${file}: Unauthorized host ${host}`);
      }
      
      // Check for secrets
      if (config.checkForSecrets && hasSecretsInUrl(importUrl)) {
        violations.push(`${file}: Potential secret in import URL`);
      }
    }
  }
  
  if (violations.length > 0) {
    return {
      success: false,
      message: violations.join("\n"),
    };
  }
  
  return { success: true, message: "All imports validated" };
}

Benefits

  • Unique to Deno - Node.js doesn't have remote imports
  • ✅ Security value: Prevent supply chain attacks
  • ✅ Compliance: Enterprise teams need import governance
  • ✅ Visibility: See exactly what external code you're depending on
  • ✅ Marketing: "Secure your Deno supply chain"

Configuration Options

  • allowedHosts: Whitelist of allowed import hosts
  • blockList: Blacklist of forbidden hosts
  • requireLockfile: Ensure deno.lock is updated with imports
  • checkForSecrets: Detect potential secrets in import URLs
  • warnOnly: Report violations without blocking commit

Use Cases

Open source projects:

config:
  allowedHosts: ["deno.land", "jsr.io", "esm.sh"]
  requireLockfile: true

Enterprise projects:

config:
  allowedHosts: ["internal-registry.company.com", "jsr.io"]
  blockList: ["unpkg.com", "cdn.jsdelivr.net"]
  checkForSecrets: true

Priority

MEDIUM - High value for enterprise/security-conscious teams, but more complex to implement

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions