Seamless Sec-Ops for Node.js

Featuring Snyk 

by Liran Tal

Text

Liran Tal

@liran_tal

leanpub.com/nodejssecurity/c/MEETUP

Node.js is all about npm libraries

Tracking Your Node.js Dependencies

https://david-dm.org

http://bithound.io

npm??

npm outdated --long

hold your horses,
            has it too pal

yarn's semi-security built-in

Standardize

Static Code Analysis

We're just warming up...

Snyk

Bridging Security with          on CI

Snyk CLI

$ npm install -g snyk
$ snyk test

Sign-up for Token

https://snyk.io

and other goodies:
dashboard | github integration | more

$ snyk auth bfd71-fdabc8123-4981-bd8f7c

Connect to Travis CI

Travis Flow

understanding the lifecycle of Travis CI build

before_install

install

before_script

script

after_success

after_failure

after_script

before_install:
  - npm install -g snyk

.travis.yml

# fail the build

before_script:
  - snyk test




# do not fail the build
# you should have a good reason to do this

after_script:
  - snyk test

.travis.yml

you need a token
for CI jobs

Keeping pace with
vulnerabilities

$ snyk monitor
after_success:
  - snyk monitor

.travis.yml

Discover the Wizard

$ snyk wizard

Create a Security Policy

 

  • Upgrade
  • Patch
  • Ignore

Apply Policy on CI

# on CI - we protect before we
# test to apply the policies

before_script:
  - npm install -g snyk
  - snyk protect
  - snyk test

.travis.yml

or automate it with snyk protect

"scripts": {
   "test": "snyk test && npm test",
   "snyk-protect": "snyk protect",
   "prepublish": "npm run snyk-protect"
}

package.json

Thank you!

Seamless Sec-Ops for Node.js

By Liran Tal

Seamless Sec-Ops for Node.js

DevSecOps Meetup #1

  • 2,109