Liran Tal
💚@nodejs Security WG member | Core team @meanjs, #dockly | Author: 📘Essential Node.js Security ✨ Engineering Manager @nielsen-oss | ❤️#opensource #javascript
Seamless Sec-Ops for Node.js
Featuring Snyk
by Liran Tal
Text
Liran Tal
@liran_tal
leanpub.com/nodejssecurity/c/MEETUP
Node.js is all about npm libraries
Tracking Your Node.js Dependencies
https://david-dm.org
http://bithound.io
npm??
npm outdated --long
hold your horses,
has it too pal
yarn's semi-security built-in
Standardize
Static Code Analysis
We're just warming up...
Snyk
Bridging Security with on CI
Snyk CLI
$ npm install -g snyk
$ snyk test
Sign-up for Token
https://snyk.io
and other goodies:
dashboard | github integration | more
$ snyk auth bfd71-fdabc8123-4981-bd8f7cConnect to Travis CI
Travis Flow
understanding the lifecycle of Travis CI build
before_install
install
before_script
script
after_success
after_failure
after_script
before_install:
- npm install -g snyk.travis.yml
# fail the build
before_script:
- snyk test
# do not fail the build
# you should have a good reason to do this
after_script:
- snyk test
.travis.yml
you need a token
for CI jobs
Keeping pace with
vulnerabilities
$ snyk monitorafter_success:
- snyk monitor.travis.yml
Discover the Wizard
$ snyk wizard
Create a Security Policy
- Upgrade
- Patch
- Ignore
Apply Policy on CI
# on CI - we protect before we
# test to apply the policies
before_script:
- npm install -g snyk
- snyk protect
- snyk test.travis.yml
or automate it with snyk protect
"scripts": {
"test": "snyk test && npm test",
"snyk-protect": "snyk protect",
"prepublish": "npm run snyk-protect"
}package.json
Thank you!
Seamless Sec-Ops for Node.js
By Liran Tal
Seamless Sec-Ops for Node.js
DevSecOps Meetup #1
