Why you should move from nsp cli to nodesecurity.io?
For years the Node community has relied on the nsp (grunt-nsp and gulp-nsp) command line tools to check open source projects against our security advisory database. We know you love them because they get over 170k downloads a month, but we think you should try out nsp Continuous Security.
Below are just a few of the extra features you get.
Pull Request integration
As pull requests are submitted to your project the code is automatically checked for known vulnerabilities. We even update the pull request’s status, just like your CI.
Security status is separate from CI status
The most common configuration we see with nsp and related tooling is used within CI. However, known vulnerabilities do not always constitute exploitability and as such you may not want to always break the build when a known vulnerability crops up. Having a separate integration and status for security checks help you make this distinction. Additionally exception management and the push button security fix feature we offer lets you take action right from GitHub, something that’s not possible when using the nsp command line tool.
Stale repositories don’t get ignored
Every day we check your connected repositories, that way as we add advisories to our database you don’t have to wait until code is shipped to find out if something affects your project. If we do find a risk, we’ll send a notification to you. This is a great way to make sure your less active projects don’t get ignored.
Exception Management
While the nsp cli offers a JSON file that you can edit to make exceptions, nsp Continuous Security gives you a push button interface for exceptions along with an audit trail of who made the exception and for what reason.
Push Button Security Fixes
We recently announced the quick fix security button, which simplifies getting rid of that security risk in your project by automatically updating your pull request to update vulnerable dependencies for you.
Private repositories help support us
We only charge $1 / month / private node repository and that goes to help us fund the dedicated team of developers and security researchers helping put this data into your hands.
We hope that you will support us, check out nodesecurity.io and give us your feedback. We’re here for you, to help you ship more secure software.
