DEV Community

loading...

Discussion on: So you think you're just gonna `npm install`? Think again

Collapse
lirantal profile image
Liran Tal Author

How exactly are you combining audit and npm's install/ci?
I didn't understand how that's related to docker. Do you mean you are doing this inside the docker image you're building?

Collapse
erickwilder profile image
Erick Wilder

Yes, exactly. We build everything inside a docker image (using npm ci) and later on we run a step in our pipeline with npm audit (and other homegrown checks) to ensure that inconsistent state or malicious code never goes to production. There is also some integration with slack to notify everyone that we have to fix it.

Thread Thread
lirantal profile image
Liran Tal Author

Sounds good.

If I could help you in getting started with Snyk for auditing, monitoring etc I'd be more than happy to connect over DM or something.

One point that stands out is, while your pipeline checks for vulnerabilities, if you didn't deploy/run CI for say 2 weeks, and during this time a vulnerability was disclosed, then you wouldn't catch it, where-as with Snyk we constantly monitor your package manifest snapshots, alert, and open PRs that automatically fix and relock the relevant lockfile.