Light House Scan is not working.

Question

Light House Scan is not working.

Closed this issue 2 years ago · 7 comments

Describe the bug
We're trying to run the scan using azure devops yaml pipeline with the following code, but it is giving error .

Could you please kindly help here.

Also could you please kindly help how to download the GLH scan reports using azure devops download artifacts.

Screenshots

Environment (please complete the following information):
azure devops microsoft hosted agent with windows-latest image

Yaml code used:

GLH SCAN:

task: Lighthouse@1
inputs:
url: 'https://$(json.stagingDomainName)'
args: '--extra-headers="{"Authorization":"Basic$(MySecretPassword)"}" --quiet'
assertions: 'no-vulnerable-libraries=1'

Reports Download Task:

task: CopyFiles@2
inputs:
SourceFolder: '$(Build.SourcesDirectory)\lighthouse-reports'
Contents: '**'
TargetFolder: '$(Build.ArtifactStagingDirectory)'

Answer 1 · 2023-02-21T17:07:46.000Z

Hi @ravindrai, I looked into Google Lighthouse changelog and starting Lighthouse 10.x, they removed the audit no-vulnerable-libraries in this pull request.

If you really need this audit, you need to pre-install the 9.x version of Lighthouse on the build agent. I'll also need to update this project's README because I use this audit in examples and screenshots.

Also, if you need is really to detect vulnerabilities, I would recommend to use a dedicated/real code scanning tool such as Semgrep. Here's a Azure DevOps pipeline that runs Semgrep on pull requests and a weekly schedule: https://gist.github.com/asimmon/2521ac55b612b57f528849f0a5efc48e

Answer 2 · 2023-02-22T04:52:33.000Z

Thanks asimmon for the quick help.

As a work around can i remove the assertions: 'no-vulnerable-libraries=1' paramter and run the job would it work like this?

Also please suggest how do i copy the GLH scan reports and download it later in the future.

Kindly please suggest.

Answer 3 · 2023-02-22T05:12:05.000Z

After removing that parameter assertions: 'no-vulnerable-libraries=1' i got the below error kindly please help me here

Error:

Answer 4 · 2023-02-26T18:12:50.000Z

I managed to reproduce your issue.

But before, I'd like to know if you tried to copy the sample configuration that was on this project's README screenshot? I'm talking about the no-vulnerable-libraries = 1 and --extra-headers="{\"Authorization\":\"Basic $(MySecretPassword)\"}" --quiet.

Because if you did, please understand that was just example values. We've already talked about no-vulnerable-libraries = 1 (which does no longer exists in Lighthouse). The --extra-headers=[...] is also just an example of how one could add extra HTTP headers to do basic authentication. If you don't need that, remove the CLI argument. Please also note that in this example, MySecretPassword in a secret that must be defined in Azure DevOps.

So the reason why you have an Unexpected token A in JSON at position 1 error is because you made a typo.

You wrote this argument: --extra-headers={Authorization:Basic$(MySecretPassword)}
This is the correct argument: --extra-headers="{\"Authorization\":\"Basic $(MySecretPassword)\"}" --quiet
- Notice we escape some strings here
- Notice the space between Basic and the $(MySecretPassword) secret variable

I would recommend you learn more about Lighthouse on its documentation page. It's also easy to reproduce the behavior of this Azure Pipeline task locally. All you have to do is:

Install Node.js (preferably LTS)
Execute Lighthouse locally with any CLI option you want to test:

npx lighthouse "https://yourwebsite.com" --quiet --output=html --output=json --output-path="/path/to/report-filename" --chrome-flags="--headless"

Answer 5 · 2023-02-27T04:48:17.000Z

There are three ways to copy the scan reports:

The first one is located in the report UI embed in Azure Pipeline

The second one is to download the pipeline logs (screenshot 1). Inside the zip file, you'll find the reports (screenshot 2).

The third one is to use an upload artifact task. Both the JSON and HTML reports are copied to $(Agent.TempDirectory)/__lighthouse/. There might be a node_modules directory in here, do not copy it as an artifact, only the HTML and JSON file... In the screenshot below, D:\a\_temp is the value for $(Agent.TempDirectory) on your agent.

Answer 6 · 2023-02-27T06:31:46.000Z

asimmon Many thanks for the help and it is working as expected. Really thankful to you once again.

All these days we're running light house job in windows based agent at azure devops, is it really necessary to run so?

Also could you please kindly share more details how to run GLH on linux based agent with the command you've given in the above :

npx lighthouse "https://yourwebsite.com" --quiet --output=html --output=json --output-path="/path/to/report-filename" --chrome-flags="--headless"

Answer 7 · 2023-02-27T17:55:49.000Z

@ravindrai glad to help but I think I will close the issue, because it's not directly related to this task. At this point it's more like how to configure Azure DevOps and how to consume Google Lighthouse. I will still answer to your questions:

You don't need a Windows based agent in Azure DevOps, it's actually slower than Ubuntu agents. Read this Azure DevOps documentation to understand how to change your build agent, whether you use YAML or Classic pipelines:
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=classic%2Cbrowser#designate-a-pool-in-your-pipeline

The Lighthouse CLI arguments don't change if it's Windows or Linux. Once again I recommend you to get familiar with the CLI by reading its documentation. Once you tried it on your computer and you find the right arguments you need (or maybe you don't need any other), copy paste these arguments to this task.