awslabs · scrthq · Apr 19, 2024 · Apr 12, 2024 · Apr 15, 2024 · Apr 15, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -123,7 +123,7 @@ RUN mkdir -p /src && \
 # Update NPM to latest
 RUN mkdir -p /ash/utils
 COPY ./utils/cdk-nag-scan /ash/utils/cdk-nag-scan/
-RUN npm install -g npm && \
+RUN npm install -g npm pnpm yarn && \
     cd /ash/utils/cdk-nag-scan && \
     npm install --quiet
 

diff --git a/utils/js-docker-execute.sh b/utils/js-docker-execute.sh
@@ -52,25 +52,45 @@ REPORT_PATH="${_ASH_OUTPUT_DIR}/work/js_report_result.txt"
 rm ${REPORT_PATH} 2> /dev/null
 touch ${REPORT_PATH}
 
-# Run NPM audit
+# Run NPM, PNPM, or Yarn audit
 scan_paths=("${_ASH_SOURCE_DIR}" "${_ASH_OUTPUT_DIR}/work")
 for i in "${!scan_paths[@]}";
 do
   scan_path=${scan_paths[$i]}
-  echo -e "\n>>>>>> Begin npm audit output for ${scan_path} >>>>>>\n" >> ${REPORT_PATH}
   cd ${scan_path}
-  for file in $(find . -iname "package-lock.json");
+  for file in $(find . \
+    -iname "package-lock.json" -o \
+    -iname "pnpm-lock.yaml" -o \
+    -iname "yarn.lock");
   do
       path="$(dirname -- $file)"
       cd $path
 
-      npm audit >> ${REPORT_PATH} 2>&1
+      audit_command="npm"
+
+      case $file in
+        "./package-lock.json")
+          audit_command="npm"
+          ;;
+        "./pnpm-lock.yaml")
+          audit_command="pnpm"
+          ;;
+        "./yarn.lock")
+          audit_command="yarn"
+          ;;
+      esac
+
+      echo -e "\n>>>>>> Begin ${audit_command} audit output for ${scan_path} >>>>>>\n" >> ${REPORT_PATH}
+
+      eval "${audit_command} audit >> ${REPORT_PATH} 2>&1"
+
       NRC=$?
       RC=$(bumprc $RC $NRC)
 
       cd ${scan_path}
+
+      echo -e "\n<<<<<< End ${audit_command} audit output for ${scan_path} <<<<<<\n" >> ${REPORT_PATH}
   done
-  echo -e "\n<<<<<< End npm audit output for ${scan_path} <<<<<<\n" >> ${REPORT_PATH}
 done
 
 # cd back to the original SOURCE_DIR in case path changed during scan