UNPKG

lockfile-lint/README.md

Version:

8.48 kBMarkdownView Raw

1<p align="center"><h1 align="center">
2lockfile-lint
3
4</h1>
5
6<p align="center">
7  A CLI to lint a lockfile for security policies
8</p>
9
10<p align="center">
11<a href="https://www.npmjs.org/package/lockfile-lint"><img src="https://badgen.net/npm/v/lockfile-lint" alt="npm version"/></a>
12  <a href="https://www.npmjs.org/package/lockfile-lint"><img src="https://badgen.net/npm/license/lockfile-lint" alt="license"/></a>
13  <a href="https://www.npmjs.org/package/lockfile-lint"><img src="https://badgen.net/npm/dt/lockfile-lint" alt="downloads"/></a>
14  <a href="https://travis-ci.org/lirantal/lockfile-lint"><img src="https://badgen.net/travis/lirantal/lockfile-lint" alt="build"/></a>
15  <a href="https://codecov.io/gh/lirantal/lockfile-lint"><img src="https://badgen.net/codecov/c/github/lirantal/lockfile-lint" alt="codecov"/></a>
16<a href="https://snyk.io/test/npm/lockfile-lint"><img src="https://snyk.io/test/npm/lockfile-lint/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/npm/lockfile-lint" style="max-width:100%;"></a>
17  <a href="https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Security Responsible Disclosure" /></a>
18</p>
19
20# About
21
22A CLI tool to lint a lockfile for security policies
23
24# Install
25
26```bash
27npm install --save lockfile-lint
28```
29
30# Usage
31
32`lockfile-lint` can be installed per a project scope, or globally and exposes a `lockfile-lint` executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.
33
34```bash
35lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>
36```
37
38Supported lockfiles:
39- npm's `package-lock.json` and `npm-shrinkwrap.json`
40- yarn's `yarn.lock`
41
42# Example
43
44An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:
45
46```bash
47DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm
48```
49
50**Example 2**: specify hostnames and enforce the use of HTTPS as a protocol
51
52```bash
53lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
54```
55
56- `--type yarn` is ommitted since lockfile-lint can figure it out on it's own
57- `--allowed-hosts` explicitly set to match yarn's mirror host
58
59**Example 3**: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the `git+https:` as a valid URI scheme
60
61```bash
62lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --allowed-schemes "https:" "git+https:"
63```
64
65- `--allowed-hosts` explicitly set to match github.com as a host and specifies `yarn` as the alias for yarn's official mirror host
66- `--allowed-schemes` overrides `validate-https` and so it explicitly allows both `https:` and `git+https:` for the github URL
67
68**Example 4**: allow the lockfile to contain a package which resolves to a specific URL specified by the `--allowed-urls` option while all other packages must resolve to yarn as specified by `--allowed-hosts`
69
70```bash
71lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2
72```
73
74- `--allowed-hosts` allows packages from yarn only
75- `--allowed-urls` overrides `allowed-hosts` and allows a specific Github URL to pass validation
76
77# CLI command options
78
79| command line argument        | description                                                                                                                                                                                                                                                                                | implemented    |
80| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------- |
81| `--path`, `-p`               | path to the lockfile                                                                                                                                                                                                                                                                       | ✅             |
82| `--type`, `-t`               | lockfile type, options are `npm` or `yarn`                                                                                                                                                                                                                                                 | ✅             |
83| `--validate-https`, `-s`     | validates the use of HTTPS as protocol schema for all resources in the lockfile                                                                                                                                                                                                            | ✅             |
84| `--allowed-hosts`, `-a`      | validates a whitelist of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively | ✅             |
85| `--allowed-schemes`, `-o`    | allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:"                                                                                                                                                               | ✅             |
86| `--allowed-urls`, `-u`       | allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`)                                                                                                                                                                                                                      | ✅             |
87| `--empty-hostname`, `-e`     | allow empty hostnames, or set to false if you wish for a stricter policy                                                                                                                                                                                                                   | ✅             |
88| `--validate-checksum`, `-c`  | check that all resources include a checksum                                                                                                                                                                                                                                                | ❌ PRs welcome |
89| `--validate-integrity`, `-i` | check that all resources include an integrity field                                                                                                                                                                                                                                        | ❌ PRs welcome |
90
91# File-Based Configuration
92
93Lockfile-lint uses [cosmiconfig](https://github.com/davidtheclark/cosmiconfig) for configuration file support. This means you can configure the above options via (in order of precedence):
94
95- A "lockfile-lint" key in your package.json file.
96- A .lockfile-lintrc file, written in JSON or YAML, with optional extensions: .json/.yaml/.yml (without extension takes precedence).
97- A .lockfile-lint.js or lockfilelint.config.js file that exports an object.
98- A .lockfile-lint.toml file, written in TOML (the .toml extension is required).
99
100The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.
101
102The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").
103
104# Contributing
105
106Please consult [CONTIRBUTING](../../CONTRIBUTING.md) for guidelines on contributing to this project.
107
108# Author
109
110**lockfile-lint** © [Liran Tal](https://github.com/lirantal), Released under the [Apache-2.0](./LICENSE) License.

1	`<p align="center"><h1 align="center">`
2	`lockfile-lint`
3
4	`</h1>`
5
6	`<p align="center">`
7	`A CLI to lint a lockfile for security policies`
8	`</p>`
9
10	`<p align="center">`
11	`<a href="https://www.npmjs.org/package/lockfile-lint"><img src="https://badgen.net/npm/v/lockfile-lint" alt="npm version"/></a>`
12	`<a href="https://www.npmjs.org/package/lockfile-lint"><img src="https://badgen.net/npm/license/lockfile-lint" alt="license"/></a>`
13	`<a href="https://www.npmjs.org/package/lockfile-lint"><img src="https://badgen.net/npm/dt/lockfile-lint" alt="downloads"/></a>`
14	`<a href="https://travis-ci.org/lirantal/lockfile-lint"><img src="https://badgen.net/travis/lirantal/lockfile-lint" alt="build"/></a>`
15	`<a href="https://codecov.io/gh/lirantal/lockfile-lint"><img src="https://badgen.net/codecov/c/github/lirantal/lockfile-lint" alt="codecov"/></a>`
16	`<a href="https://snyk.io/test/npm/lockfile-lint"><img src="https://snyk.io/test/npm/lockfile-lint/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/npm/lockfile-lint" style="max-width:100%;"></a>`
17	`<a href="https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Security Responsible Disclosure" /></a>`
18	`</p>`
19
20	`# About`
21
22	`A CLI tool to lint a lockfile for security policies`
23
24	`# Install`
25
26	```bash
27	`npm install --save lockfile-lint`
28	```
29
30	`# Usage`
31
32	`lockfile-lint` can be installed per a project scope, or globally and exposes a `lockfile-lint` executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.
33
34	```bash
35	`lockfile-lint --type <yarn\|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>`
36	```
37
38	`Supported lockfiles:`
39	- npm's `package-lock.json` and `npm-shrinkwrap.json`
40	- yarn's `yarn.lock`
41
42	`# Example`
43
44	`An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:`
45
46	```bash
47	`DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm`
48	```
49
50	`Example 2: specify hostnames and enforce the use of HTTPS as a protocol`
51
52	```bash
53	`lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https`
54	```
55
56	- `--type yarn` is ommitted since lockfile-lint can figure it out on it's own
57	- `--allowed-hosts` explicitly set to match yarn's mirror host
58
59	Example 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the `git+https:` as a valid URI scheme
60
61	```bash
62	`lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --allowed-schemes "https:" "git+https:"`
63	```
64
65	- `--allowed-hosts` explicitly set to match github.com as a host and specifies `yarn` as the alias for yarn's official mirror host
66	- `--allowed-schemes` overrides `validate-https` and so it explicitly allows both `https:` and `git+https:` for the github URL
67
68	Example 4: allow the lockfile to contain a package which resolves to a specific URL specified by the `--allowed-urls` option while all other packages must resolve to yarn as specified by `--allowed-hosts`
69
70	```bash
71	`lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2`
72	```
73
74	- `--allowed-hosts` allows packages from yarn only
75	- `--allowed-urls` overrides `allowed-hosts` and allows a specific Github URL to pass validation
76
77	`# CLI command options`
78
79	`\| command line argument \| description \| implemented \|`
80	`\| ---------------------------- \| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ \| -------------- \|`
81	\| `--path`, `-p` \| path to the lockfile \| ✅ \|
82	\| `--type`, `-t` \| lockfile type, options are `npm` or `yarn` \| ✅ \|
83	\| `--validate-https`, `-s` \| validates the use of HTTPS as protocol schema for all resources in the lockfile \| ✅ \|
84	\| `--allowed-hosts`, `-a` \| validates a whitelist of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively \| ✅ \|
85	\| `--allowed-schemes`, `-o` \| allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" \| ✅ \|
86	\| `--allowed-urls`, `-u` \| allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) \| ✅ \|
87	\| `--empty-hostname`, `-e` \| allow empty hostnames, or set to false if you wish for a stricter policy \| ✅ \|
88	\| `--validate-checksum`, `-c` \| check that all resources include a checksum \| ❌ PRs welcome \|
89	\| `--validate-integrity`, `-i` \| check that all resources include an integrity field \| ❌ PRs welcome \|
90
91	`# File-Based Configuration`
92
93	`Lockfile-lint uses [cosmiconfig](https://github.com/davidtheclark/cosmiconfig) for configuration file support. This means you can configure the above options via (in order of precedence):`
94
95	`- A "lockfile-lint" key in your package.json file.`
96	`- A .lockfile-lintrc file, written in JSON or YAML, with optional extensions: .json/.yaml/.yml (without extension takes precedence).`
97	`- A .lockfile-lint.js or lockfilelint.config.js file that exports an object.`
98	`- A .lockfile-lint.toml file, written in TOML (the .toml extension is required).`
99
100	`The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.`
101
102	`The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").`
103
104	`# Contributing`
105
106	`Please consult [CONTIRBUTING](../../CONTRIBUTING.md) for guidelines on contributing to this project.`
107
108	`# Author`
109
110	`lockfile-lint © [Liran Tal](https://github.com/lirantal), Released under the [Apache-2.0](./LICENSE) License.`