To create the logging functionality needed for the new website, you have decided to reach for a third party open source software package called ‘morgan’. This package provides HTTP request logger middleware functionality.
git checkout -b ccs-feature-branch
- Read about the ‘morgan’ package at https://yarnpkg.com/package/morgan
- Using the Vscode terminal window, install the ‘morgan’ package at version 1.0.0:
yarn add [email protected] -E
Checkov should find a vulnerability in the morgan dependecy
You may find it preferable to configure environment variables for the Prisma API URL and API Key rather than specifying them as arguments to Checkov. Feel free to use whatever method you like best.
export MY_PRISMA_API_URL="https://apix.prismacloud.io" (where x=app stack)
export MY_PRISMA_KEY="<AccessKey>::<SecretKey>"
- Using the Vscode terminal window, run a local Checkov scan:
checkov -f yarn.lock --bc-api-key $MY_PRISMA_KEY --prisma-api-url $MY_PRISMA_API_URL --repo-id $USER/scascan --use-enforcement-rules
- Alternatively, if you have docker installed you may use this command:
docker run --rm -v $PWD:/checkovScan -w /checkovScan bridgecrew/checkov:latest -f yarn.lock --bc-api-key $MY_PRISMA_KEY --prisma-api-url $MY_PRISMA_API_URL --repo-id $USER/scascan
--use-enforcement-rules
git add .
git commit -m "add morgan 1.0.0 depedency"
git push --set-upstream origin ccs-feature-branch
- Open your repo on github.com
- Click the Compare & pull request button
- Double check to make sure you are merging into your own repo!
- Click the 'Create Pull Request' button
- Watch Prisma Cloud perform a code review. Think of the Prisma Cloud code review this way: A Senior Developer on the team (who is super knowledgeable about security) reviews the code and checks to make sure everything is being done correctly and securely. That developer happens to be a Prisma Cloud bot.
git checkout main
git branch -D ccs-feature-branch
git push origin --delete ccs-feature-branch