Commit 2f4fc266 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'npm-audit-job' into 'master' 

Add npm audit job to Angular Template

Closes #8

See merge request to-be-continuous/angular!61
parents e62e8f4e 72cf7d0c

README.md

+17 −0
Original line number Diff line number Diff line
@@ -315,6 +315,23 @@ exports.config = { 
}

```



### `ng-audit` job



This job performs an audit using ([npm audit](https://docs.npmjs.com/cli/v8/commands/npm-audit)), to find security vulnerabilities.



It is bound to the `test` stage.



| Input / Variable | Description                                                                                                                                           | Default value                    |

|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|

| `audit-disabled` / `NG_AUDIT_DISABLED` | Set to `true` to disable npm audit                                                                                                                    | _none_ (enabled)                 |

| `audit-args` / `NG_AUDIT_ARGS` | npm [audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) arguments     | `--audit-level=low`              |



In addition to a textual report in the console, this job produces the following report, kept for one day:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `$NG_WORKSPACE_DIR/reports/ng-audit.native.json` | [JSON](https://docs.npmjs.com/cli/v9/commands/npm-audit#json) | [DefectDojo integration](https://documentation.defectdojo.com/integrations/parsers/#npm-audit)<br/> _This report is generated only if DefectDojo template is detected, if needed, you can force it with `$DEFECTDOJO_NPMAUDIT_REPORTS`_ |



### `ng-outdated` job



This job performs outdated analysis ([npm outdated](https://docs.npmjs.com/cli/v8/commands/npm-outdated)), to find dependencies that might be updated.

kicker.json

+13 −0
Original line number Diff line number Diff line
@@ -123,6 +123,19 @@ 
        }

      ]

    },

    {

      "id": " ng-audit",

      "name": "ng-audit",

      "description": "This job performs an audit using ([npm audit](https://docs.npmjs.com/cli/v8/commands/npm-audit)), to find vulnerabilities (security).",

      "disable_with": "NG_AUDIT_DISABLED",

      "variables": [

        {

          "name": "NG_AUDIT_ARGS",

          "description": "npm [audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) arguments",

          "default": "--audit-level=low"

        }

      ]

    },

    {

      "id": "sbom",

      "name": "Software Bill of Materials",

templates/gitlab-ci-angular.yml

+41 −0
Original line number Diff line number Diff line
@@ -60,6 +60,13 @@ spec: 
    e2e-args:

      description: ng [e2e](https://angular.io/cli/e2e) arguments

      default: e2e

    audit-disabled:

      description: Disable ng audit

      type: boolean

      default: false

    audit-args:

      description: npm [audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) arguments

      default: --audit-level=low

    outdated-disabled:

      description: Set to `true` to disable npm outdated job

      type: boolean
@@ -144,6 +151,10 @@ variables: 


  NG_E2E_ARGS: $[[ inputs.e2e-args ]]



  NG_AUDIT_DISABLED: $[[ inputs.audit-disabled ]]



  NG_AUDIT_ARGS: $[[ inputs.audit-args ]]



  NG_OUTDATED_DISABLED: $[[ inputs.outdated-disabled ]]



  NG_OUTDATED_ALLOW_FAILURE: $[[ inputs.outdated-allow-failure ]]
@@ -635,6 +646,7 @@ ng-build: 
#                                      test stage:                                            #

#                                        - ng-e2e                                             #

#                                        - ng-sbom                                            #

#                                        - ng-audit                                           #

#                                        - ng-outdated                                        #

###############################################################################################

ng-e2e:
@@ -656,6 +668,35 @@ ng-e2e: 
      when: never

    - !reference [.test-policy, rules]



ng-audit:

  extends: .ng-cli-base

  stage: test

  needs: []

  script:

    # JSON (for DefectDojo)

    - |

      mkdir -p -m 777 reports

      if [[ "$DEFECTDOJO_NPMAUDIT_REPORTS" ]]

      then

        npm audit --json $NG_AUDIT_ARGS > reports/ng-audit.native.json || true

      fi

    # last run with console output

    - npm audit $NG_AUDIT_ARGS > reports/ng-audit.txt

    - cat reports/ng-audit.txt

  artifacts:

    when: always

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    paths:

      - $NG_WORKSPACE_DIR/reports/ng-audit.*

    expire_in: 1 day

  rules:

    # exclude if $NG_AUDIT_DISABLED set

    - if: '$NG_AUDIT_DISABLED == "true"'

      when: never

    # on non-production, non-integration branches: manual & non-blocking

    - when: manual

      allow_failure: true    



# outdated

ng-outdated:

  extends: .ng-cli-base