Check npm vulnerabilities
In this tutorial, you will create a CDS Workflow with the Web UI that check JavaScript vulnerabilities
- Create a workflow using one pipeline
- You will discover the npm-audit-parser plugin action, which parse npm audit report
1 - Create your CDS project
Let’s create a project. On the top navbar, click on ‘Create a project’.
- Enter a Project Name
- The project key will be useful when you want to use cdsctl.
- Click on ‘Create’ button.
2 - Add a repository manager on your project
The project is now create, you have to link a repository manager. Be sure to have a Repository manager as GitHub, Bitbucket Server or GitLab set up on your CDS Instance.
- Select ‘Advanced’ section
- In the section ‘Link to a repository manager’, select ‘github’, then click on ‘Connect’
- A popup is displayed, Click on ‘Click here’ to finalize the link with GitHub. By doing that, you allow CDS to create hook on GitHub.
3 - Create an application, link it to a Git Repository
You’ve got a project, linked to GitHub. Let’s create an application.
A CDS Application is useful to have a link to a Git Repository.
- Go on Project -> Applications tab, click on ‘Create a new application’
- Enter application name, here ‘my-node-app’
- Go on Advanced tab, select a Repository
- Expand configuration, select ‘https’. If your repository is public, you can keep empty fields, then click on ‘Save’
4 - Create the workflow
- Go to Project -> Workflows tab
- Enter the Workflow name, then click on Next
- You have now to choose the first pipeline. As you don’t have a pipeline yet, you will create a new one, named ‘check-node-vulnerabilities’. Click on Next
- Now, you have to select an application. Choose your application ‘my-node-app’, then click on Next
- We don’t need an environment, neither platform for the build pipeline, Click on ‘Finish’
- Edit the pipeline ‘check-node-vulnerabilities’
- Click on Edit as Code button, then paste that code:
version: v1.0
name: check-node-vulnerabilities
jobs:
- job: New Job
steps:
- checkout: '{{.cds.workspace}}'
- script:
- npm install --no-audit
- optional: true
script:
- npm audit --json > report.json
- plugin-npm-audit-parser:
file: report.json
requirements:
- binary: git
- binary: npm
- plugin: plugin-npm-audit-parser
5 - Run Workflow
The workflow is now ready to be launched
- Launch the workflow
- Go to pipeline execution
- Click on vulnerability tab
6 - Application vulnerability
If the workflow has been launch on the default branch of your repository, vulnerabilities are also attached to the CDS application
- Go to Project -> Application tab
- Click on Vulnerabilities tab
