[FAB-13051] npm audit checks

As rush and pnpm are used, implement the npm audit by instally the built artifacts to a fake directory with npm and then running npm audit Signed-off-by: Matthew B White <whitemat@uk.ibm.com> Change-Id: I9a621b8653a4dbcdd41c056398f21db173447f9f
hyperledger · Nov 7, 2019 · a63fea4 · a63fea4
1 parent 6975e81
commit a63fea4
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/ci/azure-pipelines.yml b/ci/azure-pipelines.yml
@@ -180,6 +180,28 @@ stages:
               inputs:
                 pathToPublish: tools/toolchain/network/docker-compose/logs/docker.log
                 artifactName: nodeenv-docker-image    
+
+        # Job to handle the auditing of the code
+        # NPM audit is run on a 'fake' installation of the libraries
+        # Pulling in all the dependencies it will be able to run NPM AUDIT, and if that returns a
+        # error code the job will fail.
+        - job: src_audit
+          displayName: 'Node Module Auditing'
+          dependsOn: main
+          steps:
+            - task: NodeTool@0
+              inputs:
+                versionSpec: '10.x' 
+            - task: DownloadPipelineArtifact@2
+              inputs:
+                artifact: node-tgz 
+                path: $(Build.SourcesDirectory)/audit
+            - script: |              
+                cd $(Build.SourcesDirectory)/audit && npm init -y
+                npm install --save *.tgz
+                npm install
+                npm audit
+    
     # Publish tag for the Merge build of a regular PRi.e. w
     - stage: Publish_tag
       condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/tags'))