Keep your Web-App Secure by running npm-audit daily!
npm audit helps to improve the security of your applications by scanning the installed npm packages for potential vulnerabilities.
On a currently-developed project that has multiple commits per day, running npm-audit as part of your build pipeline is not a problem. But once the Project is done, how do you keep up this process to catch those npm-based security issues?
In this article, we will discuss how to get notified, when your packages get stale by using bitbucket-pipelines.
Using scheduled pipelines allows to run audits daily!
There are other articles (i.e. https://medium.com/@nick.p.doyle/devsecops-applied-setting-up-automated-security-auditing-of-a-node-js-app-with-bitbucket-pipelines-1577b1d4dc7c) that go into detail on how to setup npm audit for bitbucket-pipelines, so today we will discuss how to set up the scheduled build.
Steps involved
- Add a custom build
- Add scheduled pipeline
- Test
Add a custom build
In NPM 7 and NPM 8 the script change slightly. Please see below for more information.
The first step is to add a “custom” section as a child of “pipelines” to the bitbucket-pipelines.yml file:
image: node:12.14pipelines:
default:
[default pipeline]
custom:
npmaudit:
- step:
script:
npm install -g npm-audit-helper
npm audit --json | npm-audit-helper --prod-only
If you are having trouble getting the bitbucket-pipelines.yml file to work, the validator (https://bitbucket-pipelines.atlassian.io/validator) helps pinpoint errors in your yml file.
The flag “ — only=prod” ensures only the production-packages are audited since development packages should not be relevant for the production payload.
Make sure to commit the changes before proceeding to the second step.
update for npm7:
In npm7 the script changes slightly, as npm is now able to do the pruning of dev-dependencies on on it’s own:
script:
npm audit --json --only=prod
update for npm8:
In npm8 the script changes slightly, as npm changed the command line arguments slightly:
script:
npm audit --omit=dev
Add scheduled pipeline
For the second step, head over to bitbucket.com and go to the pipelines section of your project. On the top right-hand corner, there is a “Schedules” button.
Click the “Schedules” button followed by the “new schedule” button.
Choose the “master” (or whatever your production branch is) branch, select the newly created custom pipeline and choose a schedule and time when to run it.
Since npm audit usually runs in well under a minute, I suggest running it daily. At 60 seconds per build this would only eat up 30 minutes per month (A Bitbucket standard-subscription has 500 minutes / month pipelines compute time included).
Click “create” and your schedule is set-up.
Test
After setting up the scheduled pipeline, I’m guessing you do not want to wait a night to find out whether the pipeline works or not. To test your new schedule:
- Head over to the branches view
- Click on the three dots “…” and choose “Run pipeline for a branch”
- Select the “npmaudit” pipeline and click on “run”.
Do not audit dev dependencies
There is one step that i think needs special consideration. The current version of npm audit does not ignore dev dependenices even with the flag — only=prod (this has been fixed with npm7, so ignore this section when using npm7 or higher). devDependencies are not part of the payload and I have seen it more than once that an audits fail because of a security issue in a dev tool. Of course these should also be considered and taken care of but often they take a bit longer to be addressed by the module maintainers. So you might end up with a false alarm or even worse, you need to disable npm audits for build commits because of an issue irrelevant to the production payload.
The easiest way is to use a module called pm-audit-helper and run npm audit like this:
npm audit --json | npm-audit-helper --prod-only
Conclusion
Running npm audit on a scheduled pipeline is a cost-effective way to stay on top of security issues found in npm packages.