NPM Audit
Github NPM Audit API Integration
This API integration is able to automate the NPM Audit vulnerability scan, create assessments based off the vulnerabilties found and create child issues linked to the assessment with severities based on the:
- The vulnerability severity level
- Number of days elapsed since the vulnerability was published
(NOTE: Requires release 4.13.0 or greater.)
This tool is meant to be run as part of automated code checks when the pipeline is run and is not meant to be run separately as a regscale-cli command.
Init.yaml Configuration
There are five pieces of information required to use the dependabot API integration:
dependabotId
- The github user iddependabotOwner
- The owner of the repositorydependabotRepo
- The repository namedependabotToken
- The personal access token created with the following scopes:githubDomain
- The domain for your organization. This will change for enterprise users- The default value in the init.yaml file is: api.github.com
The first step is to set the values for these five variables in the init.yaml file.
Init.yaml Example
The following init.yaml
structure is necessary:
(example key structure is shown below, replace with the actual user/organization/repository keys):
githubDomain: api.github.com
dependabotId: user123
dependabotOwner: PizzaGarden
dependabotRepo: pepperoniScanner
dependabotToken: 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
Running the Github NPM Audit API Integration
You can execute python files using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "Githubnpmaudit.sh") in Ubuntu for executing the Github NPM Audit API integration that runs the automated NPM Audit vulnerability scan.
#!/bin/sh
# Run the automated github NPM Audit vulnerabilty scan
python3 npmaudit.py
To execute the Bash file, run this command: /path/to/folder/Githubnpmaudit.sh
.
Updated about 1 year ago