How to use npm audit | DevSecOps | SCA Scan

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello guys how are you welcome to another video it's goalie and today we want to uh start a first video uh so regarding def cups and we want to start scanning yeah so software component analysis or third parties scan so as you can see here on this diagram uh so we have a code on our gate and then we want to start today the seci scan here right and for today we want to start with npm audit so to check our npm projects and codes and uh yeah so step by step we go further we try some tools here and then we go to next stage for the static analysis test and then next stage test and again uh so we go to the end right so just stage by stage we go and as I mentioned today we start here with npm audit right so to use npm audit uh uh and here yeah this is the call this is the project the vulnerable repository that I already cloned and uh either you can use your own uh project so for an npm project so uh and or we can uh use the repository that I put the link in the description of this video and then you can CL this repository and continue with me uh but yeah let's get started and for that so I for every tool I provide a howto file so how we can install that and how we can scan uh and here you can see for the npm uh for this tool so first we need to install npm so also all these howto tools will be also uploaded to the git repository is another repository that all I also put the file in the description so you don't need to take a note here right yeah just focus on the video and focus uh how we can um run our scans and test so to get started let me have a terminal here because we need to install npm also on our local machine here so because you know for every tool that uh or this is the best practice Yeah for every scan for every test first of all we will do all of them locally on our machine and then we will also automate them in GitHub action or uh gitlab Ci or Jenkins or CI pipelines doesn't matter which tool or which uh service you want to use at the end for the automation but the thing is that we know what we are going to do and what we do right so the thing is that first we we install this to locally we test everything locally to see okay if it works and then when everything goes well we will do the same uh on the C cicd workflow yeah so for this course I mean for this videos so I will uh use GitHub and uh GitHub actions and maybe some cases giab cicd uh Gap C so yeah as I mentioned the tool doesn't matter really yeah so we will learn the tool itself yeah not the platform that we are going to implement our uh service or cicd workflow right so let me make it bigger here and then uh yeah first I need to install npm or not Js npm they will be installed with this command I just copy P them from the repository so you can find them on Internet it's not a big deal here and uh first all let me this through the up update can backr so we will also upgrade them yes [Music] it also shouldn't be that much it was just four packages and uh yeah but it's the best practice here I should always do update and upgrade before installing any software and uh here we already did that and then use that command Okay Cur okay I don't have Cur really nice yeah so why don't I have it okay so we will also install Cur [Music] M okay so you can see also for the GitHub action we have to have curer right so if you want to use the same approach so sometimes we use Ducker images for tools so then we don't need care but if you want to also install node and npm on our uh uh CI machine uh CI servers to scan so we need also to install it yeah so that's why I said at the beginning let's do everything locally and then we will automate them uh and uh yeah so now I can Carly I assume right it works yeah so it's downloading and installing the package on my machine and here in the background so you can see this is the project yeah that I cloned and then uh here are the files and directories then we scan this repository or this SC scan this project so with our npm and uh we will see the result so just give him a little bit more minutes and when this tool is installed we can continue right okay now here we need to install not JS you could see right also the terminal showed us okay not this terminal please give me my terminal back yeah it's here install again okay say app install not jsy sudo yeah okay not JS what did I say oh sorry oh sorry sorry was just the type area you can see here now it's okay not is oh my God sorry yeah it's working now and uh yeah then we have these two packages so we have npm installed and then we can start our work yeah so the thing is that yeah I didn't want to cut the video yeah because this is the daily things that can happen right so typo errors uh you know misconfiguration of your local machine s here I didn't have care I didn't know because this you know I usually change or update or install new CH machines and then uh I forgot to install car on that right so that's really nice yeah we go together and we see sometime what the problem is yeah so okay at the beginning we saw there is no car and then we saw okay uh there was a type eror so it's really good so when we walk together uh so now also we have these packages and let's get start right so here and the uh again you can be in that terminal doesn't matter but I will go to the project uh and here this is a project and let get me a terminal sorry let's have a terminal here give me a terminal come on yeah so vs code so I think you already know what vscode is if you if not if you don't know so it's not big it's just a uh but it actually it's test edor right so I use it uh before that I have used pycharm because I was developing python so basically doesn't matter so you can take or you can pick whatever you want and you like so here in my case uh I use uh this code and now terminal it means okay we are in this project and then we are in the terminal so see PW home go vs code and this is my project right so uh the Jango that nv1 yeah so this is a v vulnerable project that we are going to scan okay so based on our uh guideline now we see npm installed and let's get help yeah and let's see if it's really working and installed and you can see yeah it is working yeah so this is the help and it chose npm install and work right and now for the npm we need to install the dependency of our project on our local machine and then we can scan them right so there are dependencies here on the machine I mean for this repository and uh we are going to you you see so there are the F so there the dependencies for example also uh there is for python so which we will do in another video so this is for python but the and now uh let's start let's install the dependencies of our project on our local machine therefore we can can scan them right now we cannot scan them because there's nothing there to scan because they are not installed on our local machine so again we install them by npm installed so now the dependencies will be installed on our machine and T time I don't know how long let's [Music] see so now when it's getting installed so here the next step is going to be uh you know use the audit so we already saw Here npm audit is working audit is the tool that we are going to scan our project with that so in this case we already saw it was installed and then we got the help as well and now we are going to in to scan that yeah so when it's done when the audit module is already installed on our machine and then uh we can comp we can continue with npm AIT to scan it right and then again we can store the file in Json format uh so let's see so I'm just waiting for this to be over mhm it should be faster yeah I really don't know so they are warning right so npm GES us warning yeah so maybe the package is duplicated it's old so whatever say they are discontin so that that's not the main topic of this video right so just let them be installed and then let's scan them faster faster uh yes not yet and yeah it really depends also sometimes which tool you want to take uh so that one you should really check yeah so you should see your demands uh advantages disadvantages of each tool and then you can install for example there are many tools that can for example scan npm projects yeah but here we are using audit in next videos we will use also some other tools when for npm and also for other languages right for example for python I think there are also two three different uh tools that can scan our uh third party tools yeah so but for that one and for choosing one of them so you can compare them and then pick your favorite tool so now now they are installed and uh let's see yeah you can see also it's showing okay npm AI it can fix it can show some stuff and for us let's see now we already have installed the packages right on our machine or locally on the machine uh and now we will use npm audit yeah so I can show you again the help so npm audit help shows us okay how you can use this right right so usage is npm audit so this is the base thing so and also there are some options you want to add right so we are going to use one of them uh this one we use uh we will use uh because we want to check the output in Json format as well right so in PM let's now just scan the file yeah there is no other options we just want to we want to just scan the file and see what the problems are and now npm Audi it takes a little bit time I make it a little bit bigger and then it shows us the vulnerabilities you know here exactly so this is the uh output and you can see this is this has problem severity high and yeah then here you can more see more information or about this one so again this version is low so it's High uncontrolled resource consumption so fix available uh you can for example for this one you can fix it just with npm audit fix for this one you know audit npm audit doesn't provide any fixed solution yeah but don't uh just easily write npm install fix yeah so first you should layer and uh read what it does yeah so probably it's going to install the newer version but you should see if it doesn't break your code right so again you can see different tools here and also the packages there yeah and here for example again this one problem severity High fix available fix available and uh yeah this is the output of this right and now we want to see uh Json in Json because we need to store it uh in a machine readable for format and uh then I think this Json can help right and then here we can see put it in report onl npm Json J so here also you can use T or here I use just to add everything doesn't matter what you use and then let's see again so there here we will have a Json file at the end then it shows us the same information uh but in J Json format there then we can read it with our machine so later so for our other stuff that we want to use yeah and then so this is uh this was the whole process how we could use npm and J files uh in a Json format I mean and now in the next video we will upload or we will do the same process on GitHub right so we will use npm on GitHub and then uh we want to you know we want we want to make it automated here you saw we just locally tested but then for the next video we will see how we can automate all this stuff we want to get we want to this project get scan once it's on our repository right so we will create a GitHub action or gitlab C file so then we will work with them we will see how we can automate them and after that we will have a result file on our GitHub right so this scan will be done and at the end we will have a result uh on our git repository so let's see what we have here and as you can see we have a report npm Json right so let's see cat report Json and if you want to see in more beautiful okay I think I don't have JQ yeah I don't have JQ so but this JQ is you know it makes this Json more beautiful it's a Linux Tool uh but doesn't matter for us here and uh just let's s again yeah this is the same information that we already saw but in a Json format right and here you can see the same information but as I said in J J format yeah I hope you enjoyed that so do the same so now you have the all the material that you want so this tool is totally free you don't need to pay anything for this scan and uh yeah I hope you enjoy that so please hit the Subscribe button please like the video it really helps me to share and it really helps my channel yeah uh and it's a kind of support for me I will really appreciate that and uh yeah I hope you enjoy and see you next time

Info

Channel: GoliTech

Views: 79

Rating: undefined out of 5

Keywords: github action, devsecops, npm scan, npm audit, devsecops certificates, dast, sast, scan dependencies, github action workflow, test and scan npm projects locally, sca scan | npm audit, #devsecops, golitech, devsecops professional, npm audit tool, how to integrate npm scan into github action worfklow, gitlab ci, jenkins ci cd pipeline, circle CI, jenkins, devops, devsecops automation, git pipeline, scan nodejs project, github actions tutorial, automated devseciops scan

Id: Wtla6XinV_M

Channel Id: undefined

Length: 18min 58sec (1138 seconds)

Published: Sun Feb 25 2024