Comments (3)
Hi @joebowbeer, thanks for the issue report!
Could you expand on what value you'd like to gain with a GitHub Action over the existing bash approach? The workflow to run audit-ci
is one line of bash: npx audit-ci@{version} --config ./audit-ci.jsonc
.
I could also use some clarification on how you'd like to update the documentation. Notably, in the docs, I do recommend using npx audit-ci@^6 --config ./audit-ci.jsonc
instead of npx [email protected] --config ./audit-ci.jsonc
. If that's what you're referring to, I've done that intentionally to try and find a good balance of not breaking pipelines and trying and help bring new updates to consumers conveniently. Yes, if this project went rogue and published malware, non-pinning consumers may be at risk. However, I am comfortable with that trade-off for this project as we have a small and trusted group of developers managing it (a total of two) with MFA on GitHub and NPM.
On the other hand, itmake sense is to strictly pin our dependencies. While I've personally vetted every line of code of the distributed JS of our dependencies for the versions that we depend on, they aren't pinned (they use ^
), so my vetting may be moot by now since the dependencies may update. I may set our package.json's dependencies
to use version pinning on versions that I've personally vetted. This kind of goes along with #124 where I was wondering if I can pin transitive dependencies by publishing the package-lock.json
. I don't think that's how it works, but I am open to ideas to pinning transitive dependencies.
from audit-ci.
I think GitHub Actions provides a better onboarding experience. In the future, GitHub may differentiate code scanning actions from others, providing further benefits, but this may be wishful thinking.
In addition, npx is susceptible to typosquatting.
I do see an instance or two of a tag in the README, now that you mention it, but I didn't see any security-related justification, and there are many instances without, including the one I was interested in:
https://github.com/IBM/audit-ci#github-actions
I used to trust repos, especially ones that were created to tighten security, but now I prefer trusting as little as possible (zero trust).
Pinning all dependencies would be great. This is an advantage of installing audit as a dev dependency, because in that case its deps are locked and it can check its own deps for recently-reported threats. But that has other issues as you point out.
from audit-ci.
You are absolutely right about missing pinning. I've updated all documented references for npx/{yarn|pnpm} dlx
to use audit-ci@^6
here: #273. I still do see the point and appreciate pinning to a specific version. I may follow up with a note about using a pinned version, but at least #273 starts to cover your suggestion.
but I didn't see any security-related justification
Fair! Open to improvements in this area.
npx is susceptible to typosquatting
Yeah, I can appreciate that as well. Typosquatting can only really be prevented with the usage of an SHA, as you mentioned. Reasonable to consider documenting that tbh, have to think about that a bit more and find a convenient way to provide that SHA as documentation. Open to ideas!
I used to trust repos, especially ones that were created to tighten security, but now I prefer trusting as little as possible (zero trust).
Agreed 👍🏻
Pinning all dependencies would be great.
I've already pinned the "less common" dependencies, but definitely am considering pinning all dependencies. I'd also consider finding a way to pin transitive dependencies. They were originally not pinned to support deduplication when performing --save-dev
. However, I've since moved off suggesting --save-dev
to ensure that we run an audit before the CI/user runs postinstall
. Now that we suggest npx
, deduplication is not as important.
from audit-ci.
Related Issues (20)
- Drop support for Node <12 HOT 1
- Long summary output for only one vulnerable advisory HOT 6
- Cannot convert undefined or null to object Exiting HOT 9
- Support allowlisting private packages by module HOT 7
- Add expiration time for allow list items HOT 1
- Allow notes for allowlist items HOT 2
- [Feature] Support Gitlab SAST report-type HOT 2
- Let the severity level influence the json output HOT 1
- Fail on unmatched ignores HOT 1
- Invalid JSON config file when using new allowlist NSPRecord syntax HOT 3
- Add support for registry flag for PNPM HOT 1
- Support Yarn's `--exclude` HOT 2
- Handle errors from Yarn Berry more gracefully HOT 2
- Tests should include all major Yarn versions HOT 2
- packages starting with "@" are not working in allowlist HOT 2
- Replace event-stream with something secure and supported HOT 4
- The audit report format changed? HOT 2
- CI commands fail because no version 7 HOT 1
- Support Yarn v4 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-ci.