Yes, exactly. We build everything inside a docker image (using npm ci) and later on we run a step in our pipeline with npm audit (and other homegrown checks) to ensure that inconsistent state or malicious code never goes to production. There is also some integration with slack to notify everyone that we have to fix it.
If I could help you in getting started with Snyk for auditing, monitoring etc I'd be more than happy to connect over DM or something.
One point that stands out is, while your pipeline checks for vulnerabilities, if you didn't deploy/run CI for say 2 weeks, and during this time a vulnerability was disclosed, then you wouldn't catch it, where-as with Snyk we constantly monitor your package manifest snapshots, alert, and open PRs that automatically fix and relock the relevant lockfile.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Yes, exactly. We build everything inside a docker image (using
npm ci
) and later on we run a step in our pipeline withnpm audit
(and other homegrown checks) to ensure that inconsistent state or malicious code never goes to production. There is also some integration with slack to notify everyone that we have to fix it.Sounds good.
If I could help you in getting started with Snyk for auditing, monitoring etc I'd be more than happy to connect over DM or something.
One point that stands out is, while your pipeline checks for vulnerabilities, if you didn't deploy/run CI for say 2 weeks, and during this time a vulnerability was disclosed, then you wouldn't catch it, where-as with Snyk we constantly monitor your package manifest snapshots, alert, and open PRs that automatically fix and relock the relevant lockfile.