NPM Audit

Github NPM Audit API Integration

This API integration is able to automate the NPM Audit vulnerability scan, create assessments based off the vulnerabilties found and create child issues linked to the assessment with severities based on the:

• The vulnerability severity level
• Number of days elapsed since the vulnerability was published

(NOTE: Requires release 4.13.0 or greater.)

This tool is meant to be run as part of automated code checks when the pipeline is run and is not meant to be run separately as a regscale-cli command.

Init.yaml Configuration

There are five pieces of information required to use the dependabot API integration:

• dependabotId - The github user id
• dependabotOwner - The owner of the repository
• dependabotRepo - The repository name
• dependabotToken - The personal access token created with the following scopes:
  • repo
  • https://github.com/settings/tokens/
• githubDomain - The domain for your organization. This will change for enterprise users
  • The default value in the init.yaml file is: api.github.com

The first step is to set the values for these five variables in the init.yaml file.

Init.yaml Example

The following init.yaml structure is necessary:
(example key structure is shown below, replace with the actual user/organization/repository keys):

githubDomain: api.github.com
dependabotId: user123
dependabotOwner: PizzaGarden
dependabotRepo: pepperoniScanner
dependabotToken: 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

Running the Github NPM Audit API Integration

You can execute python files using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "Githubnpmaudit.sh") in Ubuntu for executing the Github NPM Audit API integration that runs the automated NPM Audit vulnerability scan.

#!/bin/sh

# Run the automated github NPM Audit vulnerabilty scan
python3 npmaudit.py

To execute the Bash file, run this command: /path/to/folder/Githubnpmaudit.sh.