Automate DevSecOps for your Node.js application using Oracle Cloud

This blog will help you understand how to execute DevSecOps automation for Node.js applications using NodeSecurity on Oracle Developer Cloud Service. It will cover how Developer Cloud Service can be used to make DevSecOps as part of the CI and CD pipeline for Node.js applications. This blog is the first in the series and will give insights on taking baby steps into the DevSecOps arena.

About DevSecOps

As DevOps came into being to bring a cultural change, to reduce the gulf between the Development and the Operations, similarly the intent of DevSecOps is to create a mindset, to have security in grained as part of the development process. Goal is to make, everyone responsible for security and safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.

The DevSecOps mindset needs to be supplied with tools and processes that help with security decision making along with security staff that enable use and tuning for these tools. This way the DevSecOps brings in an ability to continuously monitor, attack and determine defects before attacker with malicious intent might discover them. Introducing standard tools and platform for DevSecOps, would allow easier adoption and ingraining of it as part of the development and operations.

Technology stack and platform used for the Blog:

  • Oracle Developer Cloud Service — As a Continuous Integration and Delivery cloud platform
  • Node.js — Sample project development stack
  • Node Security Platform or NSP — Node.js security tool

About Node Security

It’s a security audit tool which can be used to keep known vulnerabilities from creeping into your projects. It reads your package.json file in the project and gives the vulnerability in each of the dependencies listed for the project.

Configuration files for Node Security:

package.json

The nsp module should be included as the dev dependency along with any other dependencies in the project. This will be used by the npm test to execute the command ‘nsp check’ in the ‘scripts’ for the audit of all the dependencies and thus listing out the known vulnerabilities of each of them.

Below is the package.json sample used for this blog:

{
"name": "NodeAppl",
  "version": "0.0.1",
  "scripts": 
{
       "start": "node main.js",
       "test": "nsp check"
},
  "dependencies": 
{
       "body-parser": "^1.13.2",
       "express": "^4.13.1",
       "grunt": "^0.4.5",
       "grunt-contrib-compress": "^1.3.0",
       "grunt-hook": "^0.3.1",
       "load-grunt-tasks": "^3.5.2",
       "request": ""
},
  "devDependencies":
{
        "mocha": "^3.3.0",
        "nsp": ""
  }
}

Build Job configuration for executing the NSP tool to audit and list the vulnerabilities in the modules listed:

Give a name of your choice to the build job. For this blog I have named it as ‘DevSecOps’. As this is for Node.js application, you can leave the JDK to default.

Select the repository in which the Node.js application code has been uploaded.

Here we set the SCM polling as the trigger. This ensures that, every time we upload code to the Git repository, it will trigger the DevSecOps build job.

Select the Node.js version for the build to be 4.8.0 from the dropdown, post the selection of the ‘Use NodeJS version’ checkbox.

We would be using the execute shell build step here as well. We change the folder to ‘NodeSecurity’. We would be installing the NSP module as dev dependency and use npm test to trigger the ‘nsp check’ command execution in package.json, mentioned as part of the scripts. This would execute the nsp tool to do the audit and list the vulnerabilities of the listed dependency modules in package.json.

Post execution of the nsp tool, below screenshots describes the audit report:

Use these steps to automate vulnerability check for the Node.js modules using Oracle Developer Cloud Service.

Happy Coding!

**The views expressed in this post are my own and do not necessarily reflect the views of Oracle.