DEV Community: Ryan Mitchell The latest articles on DEV Community by Ryan Mitchell (@ryan_mitchell_728538f7301). https://dev.to/ryan_mitchell_728538f7301 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3876631%2F77cb250f-35f9-4684-b4ad-0089d543c776.jpg DEV Community: Ryan Mitchell https://dev.to/ryan_mitchell_728538f7301 en Shift-Left npm Security: Adding Aikido safe-chain locally & in Azure CI/CD Ryan Mitchell Mon, 13 Apr 2026 11:35:32 +0000 https://dev.to/ryan_mitchell_728538f7301/shift-left-npm-security-adding-aikido-safe-chain-locally-in-azure-cicd-3fdn https://dev.to/ryan_mitchell_728538f7301/shift-left-npm-security-adding-aikido-safe-chain-locally-in-azure-cicd-3fdn <h3> <strong>Intro</strong> </h3> <p>Supply chain security has never been more critical. The recent malicious Axios package — a JavaScript library downloaded over 100 million times a week — demonstrated the scale of disruption a single compromised dependency can cause. Fortunately, there are practical steps you can take to protect yourself. In this post, I’ll walk through implementing Aikido Safe-Chain both locally and in your Azure DevOps pipelines.</p> <p><strong>Stop Firefighting. Start Preventing</strong></p> <p>Traditionally, security scanning happened late — during QA, pen testing, or worst case, after a breach in production. Shift-left moves those checks to where you write code, not where you run it. You can take steps both locally and in your CI/CD pipelines to catch vulnerabilities before they get anywhere near production.</p> <p><strong>What is Aikido?</strong></p> <p>There are several tools available for supply chain security, but in this post I’m focusing on Aikido. Aikido is a developer-first security platform that scans your code, dependencies, and infrastructure for vulnerabilities.</p> <p>Aikido Safe-Chain</p> <p>Safe-Chain sits between you and your package manager — such as npm — checking every download in real time before it hits your machine or runs in a pipeline. If a compromised package is detected, it blocks the install. It also quarantines packages less than 48 hours old by default, giving public vulnerability databases time to catch up. This helps prevent things like the recent Axios incident affecting you.</p> <p><strong>Implementing</strong></p> <p>As mentioned, you can implement Safe-Chain both locally and in your pipeline. I’ll walk through both setups below.</p> <p><strong>Locally</strong></p> <p><strong>Step 1. Install via terminal</strong><br><br> <code>npm install -g @aikidosec/safe-chain</code></p> <p><strong>Step 2. Set-up Shell Integration</strong><br><br> <code>safe-chain setup</code></p> <p><strong>Step 3. Restart Terminal</strong></p> <p><strong>Step 4. Verify the Installation</strong><br><br> <code>npm install safe-chain-test</code></p> <p>When its installed and working correctly you should see output like this in the terminal:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F54ey5z6pmdrvbigonpi2.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F54ey5z6pmdrvbigonpi2.webp" width="800" height="109"></a></p> <p><strong>CI/CD – Azure pipelines in this case</strong></p> <p>In order to set up in your azure pipeline you add the set-up and test (temporarily to verify) as per below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0vnxqhpuutxddtmegdta.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0vnxqhpuutxddtmegdta.png" alt=" " width="546" height="170"></a></p> <p>When its set-up and working in the pipeline you should expect to see a result like below, and when this is confirmed you can remove the safe-chain-test part of the script.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3h1bisykbmetcsv7t8y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3h1bisykbmetcsv7t8y.png" alt=" " width="790" height="241"></a></p> <p><strong>Conclusion</strong> </p> <p>Hopefully, this has demonstrated some simple steps that you can take in order to introduce security into your local and CI/CD at an earlier point “shift left”, moving to prevention instead of reaction.</p> azuredevops security ai aikido