We introduced in our team a workflow that uses both npm audit and npm ci in our CI pipeline isolating the installation in a docker container. If someone introduces or changes dependencies it hardly goes unnoticed. Relying solely on our best intentions sometimes is not enough and it's necessary to automate some tasks. This is a good example where automation can save you from some troubles.
How exactly are you combining audit and npm's install/ci?
I didn't understand how that's related to docker. Do you mean you are doing this inside the docker image you're building?
Yes, exactly. We build everything inside a docker image (using npm ci) and later on we run a step in our pipeline with npm audit (and other homegrown checks) to ensure that inconsistent state or malicious code never goes to production. There is also some integration with slack to notify everyone that we have to fix it.
If I could help you in getting started with Snyk for auditing, monitoring etc I'd be more than happy to connect over DM or something.
One point that stands out is, while your pipeline checks for vulnerabilities, if you didn't deploy/run CI for say 2 weeks, and during this time a vulnerability was disclosed, then you wouldn't catch it, where-as with Snyk we constantly monitor your package manifest snapshots, alert, and open PRs that automatically fix and relock the relevant lockfile.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
We introduced in our team a workflow that uses both
npm auditandnpm ciin our CI pipeline isolating the installation in a docker container. If someone introduces or changes dependencies it hardly goes unnoticed. Relying solely on our best intentions sometimes is not enough and it's necessary to automate some tasks. This is a good example where automation can save you from some troubles.How exactly are you combining audit and npm's install/ci?
I didn't understand how that's related to docker. Do you mean you are doing this inside the docker image you're building?
Yes, exactly. We build everything inside a docker image (using
npm ci) and later on we run a step in our pipeline withnpm audit(and other homegrown checks) to ensure that inconsistent state or malicious code never goes to production. There is also some integration with slack to notify everyone that we have to fix it.Sounds good.
If I could help you in getting started with Snyk for auditing, monitoring etc I'd be more than happy to connect over DM or something.
One point that stands out is, while your pipeline checks for vulnerabilities, if you didn't deploy/run CI for say 2 weeks, and during this time a vulnerability was disclosed, then you wouldn't catch it, where-as with Snyk we constantly monitor your package manifest snapshots, alert, and open PRs that automatically fix and relock the relevant lockfile.