npm-audit-nodejs-12-ci.yml 1.76 KB
Newer Older
1
npm_audit_dependency_check:
2
    image: docker-registry.wikimedia.org/${WM_APPSEC_NPM_IMAGE}
SBassett's avatar
SBassett committed
3
    stage: test
SBassett's avatar
SBassett committed
4
    allow_failure: false
Mstyles's avatar
Mstyles committed
5
    
SBassett's avatar
SBassett committed
6
    variables:
7
        # default secteam npm audit options
8
        NPM_AUDIT_OPTIONS: "--moderate=true --skip-dev=true --report=true"
Mstyles's avatar
Mstyles committed
9
10
   
    before_script:
SBassett's avatar
SBassett committed
11
        - apt-get update -yqq && apt-get install -yqq git
Mstyles's avatar
Mstyles committed
12
        - npm install -g audit-ci
13
14
        - |
          # check if alternative npm audit options were specified calling gitlab-ci.yml file
15
16
          if [ ! -z ${WM_APPSEC_NPM_AUDIT_OPTIONS} ]; then
            NPM_AUDIT_OPTIONS=${WM_APPSEC_NPM_AUDIT_OPTIONS}
17
          fi
Mstyles's avatar
Mstyles committed
18

SBassett's avatar
SBassett committed
19
    script:
20
21
22
23
24
        - |
          root_dir=$(pwd)
          file_list=$(git diff-tree --no-commit-id --name-only -r $CI_COMMIT_SHA -- \
          {*package.json,*package-lock.json,*/package.json,*/package-lock.json})

SBassett's avatar
SBassett committed
25
          TOTAL_EXIT_CODES=0
26
27
28
          for f in $file_list; do
            npm_dir="$(dirname "$f")"
            cd $root_dir/$npm_dir
29
            npm install --package-lock-only
30
            echo -e "\n "
31
            echo -e "----- $f -----"
32
            echo ${NPM_AUDIT_OPTIONS}
33
            echo -e "\n "
34
35
            set -e
            EXIT_CODE=0
36
            audit-ci ${NPM_AUDIT_OPTIONS} || EXIT_CODE=$?
SBassett's avatar
SBassett committed
37
            TOTAL_EXIT_CODES=$(($TOTAL_EXIT_CODES + $EXIT_CODE))
38
          done
SBassett's avatar
SBassett committed
39
          if [ "$TOTAL_EXIT_CODES" -gt 0 ]; then
40
            echo -e "\n "
41
            echo -e "At least one package.json file contained vulnerable dependencies, please review."
42
            echo -e "\n "
SBassett's avatar
SBassett committed
43
44
45
            exit 1
          fi
          
Mstyles's avatar
Mstyles committed
46
47
48
49
50
51
52
53
    
    # only run on changes to package and package.lock .json
    only:
        changes:
            - package.json
            - package-lock.json
            - "**/*package.json"
            - "**/*package-lock.json"