Skip to content

Add Yarn Audit CI Job

Dennis Appelt requested to merge da/add-yarn-audit-ci-job into master

What does this MR do and why?

This MR adds a CI job that executes yarn audit via https://gitlab.com/gitlab-org/security-products/analyzers/npm-audit.

yarn audit is intended to complement our existing node.js dependency scanning job based on the gemnasium analyzer. The gemnasium analyzer alerts on dependencies that are affected by an advisory in the gemnasium db, which contains mostly advisories from NVD. To also alert on advisories from https://npmjs.com/advisories, yarn audit is added.

Advisories for malicious dependencies are often not listed on NVD, but are on https://npmjs.com/advisories. A recent example is ua-parser-js.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dennis Appelt

Merge request reports

Loading