Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Security Pipeline #1586

Closed
wants to merge 7 commits into from
Closed

[Feature] Security Pipeline #1586

wants to merge 7 commits into from

Conversation

jskoll
Copy link

@jskoll jskoll commented Jul 30, 2020
edited
Loading

This PR is being created as part of a class (SENG 540) at WVU (West Virginia University). The class was about software evolution. The group I was in decided to look at the evolution of DevOps into DevSecOps. This PR adds some security related steps into the pipeline.

The PR adds a new GitHub action called Security Checks that:

  1. Runs on ubuntu-latest
  2. Runs against Node 10, 12, and 14
  3. Runs a npm install
  4. Runs npm audit against production packages with the audit level set at moderate
  5. Runs another npm audit against the entire package with the audit level set at critical
  6. Runs a static analysis tool twly to look for duplicated code.

This pipeline is setup this way to avoid any known security issue above moderate from being used within the production builds of npm and to give more visibility of security issues within dev-dependencies.

twly itself is not necessarily a security tool but the idea of having it included is to help keep the npm code DRY (Don't Repeat Yourself). This will help security overall by ensuring that any bug/security issue found in the code will only need to be fixed in less spots (hopefully just one). This tool is configurable through the .trc file and is currently setup to fail at anything below a threshold of 95. As configured it will only look the src folder and report duplicates if a minimum of 5 lines and 50 characters are found duplicated.

Also in this PR is a dependabot config file. This is in here to help maintain up-to-date dependencies, it is configured to run once a week.

This PR was the work of:

@jskoll jskoll requested a review from a team as a code owner July 30, 2020 21:57
@ruyadorno ruyadorno added Agenda will be discussed at the Open RFC call Needs Discussion is pending a discussion labels Aug 17, 2020
@darcyclarke darcyclarke mentioned this pull request Aug 18, 2020
Closed
@jpschafer
Copy link

Thank you npm CLI team for giving us the opportunity to speak today, this was an eye-opening experience on how contributing to FOSS works, and this helped break the ice for us moving forward if we decide to contribute more in the future.

@ruyadorno ruyadorno added Release 7.x work is associated with a specific npm 7 release semver:patch semver patch level for changes and removed Agenda will be discussed at the Open RFC call Needs Discussion is pending a discussion labels Aug 19, 2020
@jskoll jskoll changed the base branch from latest to release/v7.0.0-beta.5 August 19, 2020 23:10
andwat18 referenced this pull request Aug 20, 2020
@ruyadorno
[email protected]
c486008
@darcyclarke darcyclarke changed the base branch from release/v7.0.0-beta.5 to release/v7.0.0-beta September 18, 2020 18:27
@jskoll jskoll force-pushed the security-pipeine branch 2 times, most recently from 62bbfb9 to f4e7a07 Compare September 20, 2020 23:54
@darcyclarke darcyclarke added Priority Backlog a "backlogged" item that will be tracked in a Project Board and removed Priority Backlog a "backlogged" item that will be tracked in a Project Board labels Sep 25, 2020
@darcyclarke darcyclarke changed the base branch from release/v7.0.0-beta to release/v7.0.0-rc.0 October 1, 2020 20:32
@michaelhm
Copy link

michaelhm commented Nov 19, 2020
edited
Loading

Hey npm team, just wondering if there's any status updates regarding this PR?

@darcyclarke darcyclarke added Needs Review release: next These items should be addressed in the next release and removed release: next These items should be addressed in the next release labels Jan 22, 2021
jskoll and others added 3 commits February 6, 2021 14:06
@jskoll @michaelhm
add script to packages.json
597fbe2
@jpschafer @michaelhm
Update security.yml
70f547c 
Re-added Comments & Step Names
@atomaro @michaelhm
Update security.yml
6356b38 
Add comments and correct npm step names
@jskoll jskoll changed the base branch from release/v7.0.0-rc.0 to latest February 6, 2021 19:39
@darcyclarke
Copy link
Contributor

@jskoll appreciate the work you & your team did. We're going to go through our own automation overhaul in the near future which will include Actions dedicated to security/vulnerability gates that are different than the tooling you've presented here. Again, want to thank you very much for considering how we can improve the safety/security of npm & we'll definitely use this as the standard as we implement our own checks moving forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atomaro atomaro atomaro approved these changes

Assignees
No one assigned
Labels
Release 7.x work is associated with a specific npm 7 release semver:patch semver patch level for changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jskoll @jpschafer @michaelhm @darcyclarke @atomaro @ruyadorno