search

dwyl / repo-badges

:star: Use repo badges (build passing, coverage, etc) in your readme/markdown file to signal code quality in a project.
2.89k stars 1.23k forks source link

Replacement for Node Security Platform #32

Closed getaaron closed 5 years ago

getaaron commented 6 years ago

https://nodesecurity.io/services:

The Node Security Platform has been acquired by npm, Inc.

On April 10, 2018, the Node Security Platform joined npm, Inc., which operates the npm JavaScript package registry.

Learn more here.

The service remains operational for current accountholders.

This repo should recommend a replacement for new projects.

nelsonic commented 6 years ago

@getaaron do you have a suggestion? It's unclear from the statement if NPM will include the service in their offering ... 🤔

Berkmann18 commented 5 years ago

According to their newsletter and Twitter feed, NSP's service is now integrated into NPM and thus audits could be done by using npm audit and vulnerabilities are shown for vulnerable packages being installed. Not sure if that's what Github uses too for vulnerability checks.

As for the badge (which brought me here), I have no idea what will replace the defunct NSP badge.

Y-LyN-10 commented 5 years ago

Is snyk an appropriate alternative?

nelsonic commented 5 years ago

@Y-LyN-10 good question/suggestion. 🤔 as much as it pains me that Node Security Platform has been "rolled into NPM" (meaning there is no longer an NSP Badge) it's a reality we all have to live with.

I really like what @guypod is doing with Snyk. They have assembled a great team of people to build the product; @remy is easily one of the best JS devs in the world! He is a "Mida"! 😮 ⭐️ Snyk is a well-documented/maintained library https://github.com/snyk/snyk

As a side note, Guy's Podcast, "The Secure Developer" is a "must" for all devs! subscribe if you aren't already: https://www.heavybit.com/library/podcasts/the-secure-developer 🥇

nelsonic commented 5 years ago

https://twitter.com/snyksec/status/1067283633805959168 image

nelsonic commented 5 years ago
  1. Visit: https://snyk.io

01-snyk-home-page

  1. Click the "Signup with GitHub" button/link:

02-snyk-signup

  1. Click the button to "Athorise Snyk":

03-snyk-authorise

  1. Click to "Connect with GitHub":

04-snyk-integrations-select-github

  1. Again click "Connect with GitHub":

05-connect-to-github

  1. By default Snyk requests access to both public and private repos, Select whatever is relevant to you and continue:

06-snyk-wants-private-repos-by-default

  1. I selected only public repositories as I always follow the "principal of least privilege":

07-snyk-select-public-repos-only

  1. Confirm the access that Snyk is requesting:

08-snyk-authorise

  1. Connect to Snyk to a GitHub Repository:

09-snyk-connect-to-github-repo

  1. Select the desired repository: (in this case hapi-auth-jwt2 ...)

10-snyk-select-desired-repo

  1. Add selected repo:

11-snyk-add-1-selected-repository

  1. Wait for the repo to be imported by Snyk:

12-snyk-importing

  1. Once the repo has finished importing, refresh the page to see your dashboard:

13-snyk-finished-securing

  1. From the Snyk dashboard. Click on the project you want to view:

14-snyk-dashboard-projects

  1. Copy the Snyk "Badge" for inclusion in your project:

15-snyk-project-page

Badge Format:

[![Known Vulnerabilities](https://snyk.io/test/github/{username}/{repo}/badge.svg)](https://snyk.io/test/github/{username}/{repo})

Official Badge: Known Vulnerabilities

[![Known Vulnerabilities](https://snyk.io/test/github/dwyl/hapi-auth-jwt2/badge.svg?targetFile=package.json)](https://snyk.io/test/github/dwyl/hapi-auth-jwt2?targetFile=package.json)

Flat Square: Known Vulnerabilities

[![Known Vulnerabilities](https://snyk.io/test/github/dwyl/hapi-auth-jwt2/badge.svg?targetFile=package.json)](https://snyk.io/test/github/dwyl/hapi-auth-jwt2?targetFile=package.json)

Going to PR this change now.