-
Notifications
You must be signed in to change notification settings - Fork 8
/
.gitlab-ci.yml
41 lines (33 loc) · 1.33 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Use this template to audit a Yarn project for security vulnerabilities with JFrog Xray.
# The `jf audit` command works as follows:
#
# 1. It creates a dependency tree for the project, including the direct and indirect (transitives) dependencies
# 2. Scans the dependency tree with JFrog Xray
# 3. Displays the vulnerabilities found
#
# To create the dependency tree, the command expects the dependencies to be presented on the local agent.
# To ensure that, the `jf yarn install` command is executed before the `jf audit` command.
#
# Requirements:
# Configure 'ARTIFACTORY_REMOTE_REPO' variable with the npm repository in JFrog Artifactory
# from which the the dependencies can be resolved.
default:
image: node:16
include:
- remote: "https://releases.jfrog.io/artifactory/jfrog-cli/gitlab/v2/.setup-jfrog-unix.yml"
# For Windows agents:
#- remote: "https://releases.jfrog.io/artifactory/jfrog-cli/gitlab/v2/.setup-jfrog-windows.yml"
jfrog-yarn-audit:
script:
- !reference [.setup_jfrog, script]
# Configure JFrog Artifactory repositories
- jf yarnc --repo-resolve $ARTIFACTORY_REMOTE_REPO
# Use Yarn Berry
- yarn set version berry
# Ensure the project dependencies are presented locally
- jf yarn install
# Audit npm project
- jf audit
after_script:
# Cleanup
- !reference [.cleanup_jfrog, script]