Scan for NPM Vulnerabilities using Github Actions
NPM helps notify you have vulnerable dependencies by printing out a message during installation. At times, this isn't enough. It is very easy to ignore these messages and commonly security becomes a low priority. In this tutorial, I will show you how to setup a script for checking if there are vulnerabilities and a automatic way of running it using Github Actions. Github Actions is a way to setup continuous delivery and this would work with other methods (Ex. Jenkins pipelines).
To start off, you will need to have a NPM project. I will use react-gh-pages as my starting code base. I will put this into a new repository and clone it to my local.
Scan for Vulnerabilities
Next, we will setup the script that will scan for vulnerabilities. When you do an
npm install, the file stdout line is something like this:
We can capture the
npm install stdout and check if there are any issues. Create a new file with this path and name:
Inside this file, put the following code.
In the script, we remove previous stdout and create an empty. It will search a message containing high vulnerabilities. If the search term is found, it exits with a code higher than 0. This will cause a pipeline to fail.
You can test this out by running
Setting Up Github Actions
You will need to setup a workflow in your Github Actions folder. The file path will look something like
And in this file, you will have
To explain this script, there are few parts. The trigger is the on push events to master. This is in the first few lines of the workflow.
After, we select to run in a Ubuntu environment and select our Node version. In the steps, we checkout the code, setup node, and execute our script.
You can push this to your repository and see Github actions run.
To demo a fixed solution run
Push those changes and it will resolve the critical failures. (This is only to demo the happy solution).
Thanks for reading!