In this workshop you will learn how to create a toolchain on IBM Cloud using contineous delivery service and detect vulnerabilities in your code before pushing it to git repository.
Signup/Sign-in on IBM Cloud account using: https://ibm.biz/BdfE9E
To create toolchain first Create contineous delivery service. Go to Catalog -> select services from left hand side -> scroll down -> click on contineous delivery service
After creating toolchain, clone your sample app in your local machine
git clone <link of your repository>
To check all connections are working, modify the readme file and push it to your repository
git commit -am "modified readme"
git push
To create snyk account to go https://snyk.io/
npm install
npm install -g snyk
Authorize snyk
snyk auth
Run below commands for snyk setup
snyk monitor (Snyk uses monitoring to regularly test your code and notify you when new vulnerabilities are introduced)
snyk test (The snyk test command tests a local project for known vulnerabilities.)
snyk wizard (this will create a .snyk file) (snyk wizard configures your policy file to update, auto patch and ignore vulnerabilities in npm & yarn projects.)
update your gitrepository
git add .snyk
git commit -am "added .snyk"
git push
Downgrade your express.js to 4.4.5 in package.json file to introduce vulnerabilities in your code.
again run the below commands
npm install
snyk test
Now you can see how snyk monitors vulnerabilities.
to test vulnerabilities in toolchain add SAST testing stage in your git repository
now push the vulnerable code, you will notice SAST stage failed.
to wrap up, remove SAST stage, upgrade your express.js to latest version and push the changes