Open source enables so much in today's software, startup, and end consumer world that we honestly owe it a debt of gratitude. With the reach and growth of open-source comes the challenges of large-scale operations. From health challenges such as maintainer burnout to the challenges of sustaining and securing open source for everyone.
It is on this last topic that I want to focus on in this post, and then in particular, how to make working with dependencies a bit safer within the NPM ecosystem.
Have you thanked a maintainer of an open-source project you use today? If not, go ahead and reach out to them on social media and say thank you. Does that scare you a little bit? That's OK, why not share their project on social media, sponsor them on GitHub or Open Collective, write or film a tutorial, file a great bug report, pick up one of the good-first-bugs, or star their project on GitHub? These are just some of the many ways we can all support and give back to the open-source ecosystem.
The Big Picture
As Matteo Collina said in a recent conversation, start by using NPM modules from authors you know and trust. This is not always possible so, the next item to keep in mind is to ensure that the project we are depending on is being maintained. Look at when the last commit was made and when the last release was.
You can use a tool such as Analyze My Repo to get some valuable insights about the health of an open-source project. You can also head over to the insights tab on the relevant GitHub repository to gain further insights into their community and project health. Another great tool of this, and so much more, is Open Sauced.
Next, let us look at some tools that can help us during our development workflow and as part of our continues deployment and continuous integration (CI/CD) pipelines. These tools are in no particular order and can be used alone, or in many cases, together.
Snyk
Snyk is a powerful and user-friendly tool designed to help developers proactively find and fix vulnerabilities in their dependencies, particularly within the NPM ecosystem. As the open-source landscape continues to grow, the task of managing and securing dependencies becomes increasingly challenging.
Snyk addresses this challenge head-on by offering integrated vulnerability scanning and remediation solutions. It not only scans your projects to identify security issues in dependencies but also provides actionable insights and automated fixes.
By prioritizing developer-friendly security practices, Snyk plays a crucial role in ensuring that security is a mainstay throughout the software development lifecycle.
Using Snyk
You can make Snyk a part of your development workflow in the following ways:
- Directly inside your code editor.
- Using the Snyk command line interface (CLI).
- Snyk on GitHub.
- Snyk on GitLab.
When installing the CLI (and others) you will most likely need to install them as a global module. Please ensure that you have installed Node.js securely before doing so and never use
sudo
.
Socket.dev
Socket.dev is as a cutting-edge tool tailored for developers seeking to fortify the security of their dependencies within the NPM ecosystem. Dependency management can often feel like navigating through a minefield of potential vulnerabilities, but Socket.dev offers a comprehensive and efficient solution.
It specializes in real-time monitoring and analysis of package dependencies, ensuring that any security risks are promptly identified and addressed. What sets Socket.dev apart is its emphasis on simplicity and automation, allowing developers to integrate security checks seamlessly into their existing development workflows. By providing detailed insights and recommendations for vulnerability mitigation, Socket.dev empowers developers to proactively safeguard their projects against potential threats.
Over and above the automation and integrations offered, you can also quickly get an overview of a specific project and its health, much like some of the other tools mentioned before. Socket.dev also helps you:
- Detect and block software supply chain attacks
- Detect suspicious package updates in real-time
- Allows you to find and compare millions of open-source packages
Using Socket.dev
You can make Socket.dev a part of your development workflow in the following ways:
- On GitHub as part of your CI/CD pipeline.
- In your terminal via the Socket.dev CLI.
- Search dependencies across your repositories.
Dependabot
Dependabot, a GitHub-native tool, enhances the security and integrity of your project dependencies, especially within the NPM ecosystem. Integrated directly into the GitHub platform, Dependabot takes a proactive stance in dependency management by automatically scanning a project's dependencies for known vulnerabilities and outdated packages. It not only alerts developers to security issues but also submits pull requests to update them to more secure and up-to-date versions, streamlining the remediation process.
What makes Dependabot complementary to Snyk and Socket.dev is its seamless integration within GitHub's ecosystem, offering a frictionless experience for developers who manage their projects on GitHub.
While Snyk provides a broader security analysis across multiple platforms and Socket.dev focuses on real-time dependency monitoring, Dependabot enriches this toolkit by leveraging GitHub’s vast network and data to offer timely updates and patches directly on GitHub and as part of your pull request flow.
This triad of tools collectively empowers you to maintain high-security standards, automate updates, and ensure that your projects are resilient against the evolving landscape of vulnerabilities.
Using Dependabot
Dependabot is tightly integrated into the GitHub workflow and is the the main way you will use it. Configure Dependabot for vulnerable dependency alerts and security updates, and version updates, and then sit back and wait for the pull requests to roll in (hopefully not too many 😉).
ESLint
ESLint is an indispensable tool in the modern JavaScript and TypeScript developer's arsenal. It is a static code analysis tool designed to identify problematic patterns or code that don't adhere to certain style guidelines and best practices.
Beyond its capacity to enforce coding standards and improve code quality, ESLint is highly extensible, allowing developers to configure rules according to their project's specific needs or adhere to community best practices. Its real power lies in its ability to not only flag errors or potential bugs but also to automatically fix many of these issues, thereby streamlining the development process and enhancing code consistency across large teams.
Using ESLint
ESLint has been around for a long, long time and as such, can be integrated almost everywhere you write code.
- In your code editor.
- Using a build tool
- On the command line
- Or take a look at the awesome-eslint repository.
CodeQL
How do we ensure that the code we write and put out into the world is well-written and secure? The first part of this is being a lifelong learner, being curious, and constantly elevating the quality of our code. Contributing to open-source is another great way to improve the quality and security of the code we write.
We can get some additional help by enabling CodeQL code scanning for our public repositories.
NOTE: This is only available for public repositories and those that have an enterprise license for GitHub Advanced Security.
Once you have successfully set up CodeQL and it has done its first run, you can see the results of the scan under the Security > Code scanning tab. Here is an example for the SAML Jackson repository.
Secrets Scanning And Push Protection on GitHub
While not strictly code, the last thing you want to discover is that you or someone on the team has accidentally leaked a secret to a public repository. When this happens, you can lose hours of productivity because you will have to revoke the leaked secrets, rotate your keys, and especially in enterprise environments, do a post-mortem to understand how this happened and how to ensure it does not happen again.
Avoid all of this by enabling push protection and be alerted to a potential leak before anything leaves your local machine. First available only to those with a GitHub Advanced Security license, this feature has been available for all public repositories since May 2023. Do your future self a favor and turn it on today.
Awesome OSS DevSec
Looking for even more tools and know of some tools and want to share them? The folks at BoxyHQ maintain a repository of awesome developer-first security tools. Head over and take a look and contribute if you see something missing.
In Conclusion
In the open-source community, keeping our code secure and well-maintained is key. Tools like Snyk, Socket.dev, Dependabot, and ESLint help us do just that, each offering something valuable for developers, maintainers, and contributors alike. Snyk and Socket.dev help us keep an eye on security by spotting vulnerabilities in dependencies. Dependabot makes life easier by updating those dependencies directly in GitHub projects. And ESLint helps ensure our code is clean and follows consistent standards.
For those of us working on open-source projects, using these tools means we’re not just writing code. We’re also taking steps to make our projects more secure and easier for others to use and contribute to. They help us catch problems early, making our software more reliable for everyone who uses it.
Incorporating these tools into our development process is really about looking out for each other and the broader open-source ecosystem. It's about building software that’s not just good, but also safe and sustainable. As we continue to develop and contribute to open-source projects, these tools are essential companions that help us maintain the quality and security of our work. Let’s keep leveraging them to make our contributions to the open-source world even stronger.
Which of these tools have you integrated into your workflow? Are there any other tools or practices you recommend for enhancing code security and quality in open-source projects? Let me know! I look forward to hearing from you.
Top comments (4)
I'd definitely also recommend Renovate - there's some incredible customisability, can be run self-hosted or with a free, hosted app and it's growing its supported package managers, ecosystems and datasources at an incredible rate compared to other tools!
Thanks for adding this one, Jamie! When you mentioned it I had a real face-palm moment 😃 I used to use Renovate a lot before Dependabot came along, but it sounds like I should give it another look.
An open source alternative to what you mention Snyk does, with vulnerbaility management and prioritization tips, to increase the efficiency of security work is Kubescape.
Nice! Thank you for adding it here, @oshratn 🙏