auditjs-nodejs-ci.yml 1.76 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
auditjs_dependency_check:

    image: docker-registry.wikimedia.org/${WM_APPSEC_NPM_IMAGE} 
    stage: test
    allow_failure: false # failed security job fails pipeline by default

    variables:
        AUDITJS_OPTIONS: "ossi"

    before_script:
        - apt-get update -yqq && apt-get install -yqq git
        - npm install -g auditjs
        - |
SBassett's avatar
SBassett committed
14
15
16
17
          # check if alternative npm audit options were specified calling gitlab-ci.yml file
          if [ ! -z ${WM_APPSEC_AUDITJS_OPTIONS} ]; then
            AUDITJS_OPTIONS=${WM_APPSEC_AUDITJS_OPTIONS}
          fi  
18
19
20
21

    # create a new package lock file, run auditjs
    script:
        - | 
SBassett's avatar
SBassett committed
22
23
24
          root_dir=$(pwd)
          file_list=$(git diff-tree --no-commit-id --name-only -r $CI_COMMIT_SHA -- \
          {*package.json,*package-lock.json,*/package.json,*/package-lock.json})
25

SBassett's avatar
SBassett committed
26
27
28
29
30
          # find all modified package.json files and run audit-ci against them
          TOTAL_EXIT_CODES=0
          for f in $file_list; do
            npm_dir="$(dirname "$f")"
            cd $root_dir/$npm_dir
31
            npm install
SBassett's avatar
SBassett committed
32
33
34
35
36
37
38
39
            echo -e "\n "
            echo -e "----- $f -----"
            echo -e "\n "
            set -e
            EXIT_CODE=0
            auditjs ${AUDITJS_OPTIONS} || EXIT_CODE=$?
            TOTAL_EXIT_CODES=$(($TOTAL_EXIT_CODES + $EXIT_CODE))
          done
40

SBassett's avatar
SBassett committed
41
42
43
44
45
46
          if [ "$TOTAL_EXIT_CODES" -gt 0 ]; then
            echo -e "\n "
            echo -e "At least one package.json file contained vulnerable dependencies, please review."
            echo -e "\n "
            exit 1
          fi
47

SBassett's avatar
SBassett committed
48
    # only run on changes to package and package.lock .json
49
50
51
52
53
54
    only:
        changes:
            - package.json
            - package-lock.json
            - "**/*package.json"
            - "**/*package-lock.json"