‘dependencies.js’ checks all of the installed application modules to see if there are any known vulnerabilities associated with a module. This data is reported back via snyk’s command-line console and their cloud-based dashboard. See snyk.io for more details and to set up an account
npm audit provides similar native functionality, however the results between snyk and npm audit may not match
_spartan defaults to snyk for application dependency monitoring, but if you want to change this, you can specify this in the auditOptions section of ‘security.json’
If you opt to use snyk for this purpose, you will need an account on snyk.io. As the most opportune time to check for vulnerabilities in dependencies is prior to application deployment, as part of your CI/CD pipeline. in support of this, _spartan uses gulp to create tasks that start core snyk functions: wizard, audit, monitor. You will need to crewate a .gulpfile and add a task for application dependency checking (see usage below)
We highly recommend using snyk command line and cloud dashboards in monitor mode so you can be proactively alerted to newly discovered vulnerabilities in your application’s dependencies. You will be provided with an API key, which can be added to your .env file as a secret
| method name | description | params | returns |
|---|---|---|---|
| N/A | if default configuration is used, the tasks load as a function and run in the gulpfile | N/A | void or Error |
var gulp = require('gulp')
var dependencyCheck = require('security/dependencies')
gulp.task('dependency-check', function (end) {
dependencyCheck()
end()
})