Package vulnerability scanning refers to the process of analyzing software packages, dependencies, libraries, or modules to identify security vulnerabilities within them.
Software often relies on various third-party packages or libraries to provide functionality, and vulnerabilities within these dependencies can pose significant security risks to the overall application.
Package Vulnerability Scanning Process:
- Identification: Tools or services scan through the dependencies used in a project, checking against databases of known vulnerabilities.
- Analysis: The scanning process assesses the versions of these dependencies against a database of known vulnerabilities, determining if any matches are found.
- Report Generation: The scanning tools generate reports highlighting identified vulnerabilities, their severity levels, and recommended actions to mitigate the risks.
- Mitigation: Once vulnerabilities are identified, developers can take action to address these issues. Solutions might include updating to patched versions, finding alternative packages, implementing workarounds, or applying security patches.
Snyk: Provides scanning and monitoring services for vulnerabilities in dependencies.
OWASP Dependency-Check: Open-source tool for scanning dependencies for known vulnerabilities.
GitHub Dependabot: Built-in tool in GitHub that automatically checks for and creates pull requests to update dependencies.
Snyk is a platform that allows you to scan, prioritize, and fix security vulnerabilities in your code, open-source dependencies, container images, and infrastructure as code configurations.
snyk iac test
snyk code test
snyk test
More detailed information can be found here: https://docs.snyk.io/integrate-with-snyk/snyk-ci-cd-integrations/github-actions-integration
The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.
If any vulnerabilities are found, then the impact and appropriate remediation will be calculated. If the fix argument is provided, then remediations will be applied to the package tree.
The command will exit with a 0 exit code if no vulnerabilities were found.
Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review.
Also note that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected.
- Sign up for a Snyk account - https://snyk.io/
- Once logged in, you can see an overview of linked projects e.g. Github repositories that you import in the Dashboard.
3. Get your AP token by going to the bottom left (your name) > account settings > click to show key under Auth Token > copy token > create a Github Actions Secret in your Github repository called "SNYK_TOKEN"
- Refer to files/index.js for sample lambda code to be deployed.
- There is also a files/lambda_function.py for a python version that can be deployed. Changes will need to be made in variable.tf
- Create all the necessary code to build your infrastructure e.g. Lambda, IAM, VPC, Subnets etc.
- Include your AWS SECRET KEY and AWS ACCESS KEY in Github Actions Secret.
- Take a look at the sample .github/workflows/package-scan.yml file on a simple workflow to test IAC, Code and Open Source plugins + npm audit.
