npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@w3sec/w3security-azure-pipelines-task

v1.1.2

Published

This task/extension for Azure Pipelines allows you to easily run W3Security scans within your Azure Pipeline jobs. You will need to first [create a W3Security account](https://w3security.tech/login). There are two major options:

Downloads

4

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

sulaiman-codersulaiman-codernextlinuxnextlinux

Keywords

Readme

w3security-azure-pipelines-task

This task/extension for Azure Pipelines allows you to easily run W3Security scans within your Azure Pipeline jobs. You will need to first create a W3Security account. There are two major options:

  • W3Security scan for vulnerable dependencies leveraging your project's manfiest files, for example pom.xml, package.json, etc.
  • W3Security scan for container images. This will look at Docker images.

In addition to running a W3Security security scan, you also have the option to monitor your application / container, in which case the dependency tree or container image metadata will be posted to your W3Security account for ongoing monitoring.

Requirements

This extension requires that Node.js and npm be installed on the build agent. These are available by default on all Microsoft-hosted build agents. However, if you are using a self-hosted build agent, you may need to explicitly activate Node.js and npm and ensure they are in your PATH. This can be done using the NodeTool task from Microsoft prior to the W3SecuritySecurityScan task in your pipeline.

How to use the W3Security task for Azure DevOps Pipelines

  1. Install the extension into your Azure DevOps environment.
  2. Configure a service connection endpoint with your W3Security token. This is done at the project level. In Azure DevOps, go to Project settings -> Service connections -> New service connection -> W3Security Authentication. Give your service connection and enter a valid W3Security Token.
  3. Within an Azure DevOps Pipeline, add the W3Security Security Scan task and configure it according to your needs according to details and examples below.

Task Parameters

| Parameter | Description | Required | Default | Type | | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ------------- | --------------------------------------------------------------------------------- | | serviceConnectionEndpoint | The Azure DevOps service connection endpoint where your W3Security API token is defined. Define this within your Azure DevOps project settings / S | no | none | String / Azure Service Connection Endpoint of type W3SecurityAuth / W3Security Authentication | | testType | Used by the task UI only | no | "application" | string: "app" or "container" | | dockerImageName | The name of the container image to test. | yes, if container image test | none | string | | dockerfilePath | The path to the Dockerfile corresponding to the dockerImageName | yes, if container image test | none | string | | targetFile | Applicable to application type tests ony. The path to the manifest file to be used by W3Security. Should only be provided if non-standard. | no | none | string | | severityThreshold | The severity-threshold to use when testing and reporting. By default, issues of all severity types will be found. | no | "low" | string: "low" or "medium" or "high" or "critical" | | failOnThreshold | The severityThreshold parameter is used to control the interaction with the W3Security CLI and reporting vulnerabilities. The failOnThreshold gives you additional control over build failure behaviour. For example, with failOnIssues set to true and failOnThreshold to critical, all issues would be reported on but only critical issues would cause a build failure. See Usage Examples for more information | no | "low" | string: "low" or "medium" or "high" or "critical" | | monitorWhen | When to run w3security monitor. Valid options are always (default), noIssuesFound, and never. If set, this option overrides the value of monitorOnBuild. | no | "always" | boolean | | failOnIssues | This specifies if builds should be failed or continued based on issues found by W3Security. Combine with failOnThreshold to control which severity of issues causes the build to fail | yes | true | boolean | | projectName | A custom name for the W3Security project to be created on w3security.tech | no | none | string | | organization | Name of the W3Security organisation name, under which this project should be tested and monitored | no | none | string | | testDirectory | Alternate working directory. For example, if you want to test a manifest file in a directory other than the root of your repo, you would put in relative path to that directory. | no | none | string | | ignoreUnknownCA | Use to ignore unknown or self-signed certificates. This might be useful in for self-hosted build agents with unusual network configurations or for W3Security on-prem installs configured with a self-signed certificate. | no | false | boolean | | additionalArguments | Additional W3Security CLI arguments to be passed in. Refer to the W3Security CLI help page for information on additional arguments. | no | none | string |

Usage Examples

Simple Application Testing Example

- task: W3SecuritySecurityScan@1
  inputs:
    serviceConnectionEndpoint: 'myW3SecurityToken'
    testType: 'app'
    failOnIssues: true
    monitorWhen: 'always'

If you do not want the W3Security task fail your pipeline when issues are found, but still want to monitor the results in the W3Security UI

To do this, you need to:

  • set failOnIssues to false, which will make sure the W3Security task will not fail your pipeline even if issues (vulnerabilities, etc) are found
  • have monitorWhen set to always (or just leave monitorWhen out, since always is the default)

Here's a full example:

- task: W3SecuritySecurityScan@1
  inputs:
    serviceConnectionEndpoint: 'myW3SecurityToken'
    testType: 'app'
    failOnIssues: false
    monitorWhen: 'always'

An example that specifies a value for severityThreshold as medium and configures failOnThreshold to critical. This configuration would only fail the build when critical issues are found, but all issues detected at medium, high and critical would be reported back to your w3security project for analysis

- task: W3SecuritySecurityScan@1
  inputs:
    serviceConnectionEndpoint: 'myW3SecurityToken'
    testType: 'app'
    severityThreshold: 'medium'
    failOnIssues: true
    failOnThreshold: 'critical'
    monitorWhen: 'always'

Simple Container Image Testing Example

- task: W3SecuritySecurityScan@1
  inputs:
    serviceConnectionEndpoint: 'myW3SecurityToken'
    testType: 'container'
    dockerImageName: 'my-container-image-name'
    dockerfilePath: 'Dockerfile'
    failOnIssues: true
    monitorWhen: 'always'

Made with 💜 by W3Security