This API integration is able to automate the NPM Audit vulnerability scan, create assessments based off the vulnerabilties found and create child issues linked to the assessment with severities based on the:
- The vulnerability severity level
- Number of days elapsed since the vulnerability was published
(NOTE: Requires release 4.13.0 or greater.)
This tool is meant to be run as part of automated code checks when the pipeline is run and is not meant to be run separately as a regscale-cli command.
There are five pieces of information required to use the dependabot API integration:
dependabotId- The github user id
dependabotOwner- The owner of the repository
dependabotRepo- The repository name
dependabotToken- The personal access token created with the following scopes:
githubDomain- The domain for your organization. This will change for enterprise users
- The default value in the init.yaml file is: api.github.com
The first step is to set the values for these five variables in the init.yaml file.
init.yaml structure is necessary:
(example key structure is shown below, replace with the actual user/organization/repository keys):
githubDomain: api.github.com dependabotId: user123 dependabotOwner: PizzaGarden dependabotRepo: pepperoniScanner dependabotToken: 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
You can execute python files using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "Githubnpmaudit.sh") in Ubuntu for executing the Github NPM Audit API integration that runs the automated NPM Audit vulnerability scan.
#!/bin/sh # Run the automated github NPM Audit vulnerabilty scan python3 npmaudit.py
To execute the Bash file, run this command:
Updated 8 months ago