Integrate NPM Audit into CI/CD

What is NPM Audit?

The 'audit' command of the 'npm' tool is a built-in security feature to Node Package Manager. It checks the current version of the installed packages in your project against known vulnerabilities reported on the public npm registry. If it discovers a security issue, it reports it.

Security Stage SCA (Software Composition Analysis)
Type OpenSource
Languages Node Package Manager
Site https://docs.npmjs.com/cli/v7/commands/npm-audit

 

Pre-requisite

1 You'll need a Git address to scan

How do I set it up?

Adding npm audit to your set of security tests is simple. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.

VeracodeEditStage

  • Ensure that the version's 'Uri' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.

SAST Setup

  • Click 'Save'
  • Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'NPM Audit' as a tool.

npmaudit

  • Click Save.

Now any time you click 'Test Now' with that ToolKit, or make a request over the Uleska API or CLI with that ToolKit, the 'npm audit' tool will be included in the test run and any results added to your vulnerabilities list.

Notes

Currently, the 'npm audit' adaptor will run the default set of tests, recursively going through the files in the codeline.  Configuration for audit levels are not currently supported but will be included in a future release.