Understand your dependencies through behavioral monitoring & prevent supply chain attacks before they impact you. ⚡
This repo demonstrates an end-to-end workflow for using lstn
with JS/TS projects ie.
- Scanning a project's dependencies automatically at every change
- Getting results (verdicts) inside dev workflows
- Customizing alerts and defining rule-based policy controls (preview)
It uses the action which is recommended for GitHub-based CI workflows. However, lstn can be integrated with any CI system through the CLI (see example workflow).
1) Invoking a scan
As is, any pull-request
event on this repo will invoke a scan. Simply create a PR with your desired dependency changes in package.json
.
2) Viewing results
View verdicts in PR comments and logs for the workflow.
See demo video.
3) Customizing alerts (optional)
- The
rules.yml
file contains a list of pre-definedjq
expressions, which can be piped with lstn outputs to enforce policy. - Setting the
rule-name
option to a name from the list (e.g.block_priority medium
) will enforce that rule. - You can also
ignore
certain behaviors, which means that CI won't be halted even if that rule condition is met.
Some examples:
# Ignore medium priority detections
- name: ignore_priority_medium
query: .[] | select(.verdicts[]?.priority == "medium")
behavior: ignore
# Halt CI if any outbound network connection is detected
- name: block_network_connection
query: .[] | .verdicts[]? | select(.message == "unexpected outbound connection destination")
lstn
currently supports JavaScript/TypeScript through the npm package manager. We're constantly expanding our ecosystem support, please reach out if you have any specific requests.
Read about our detection approach, issue coverage and other concepts at docs.listen.dev
Hang out with us on Discord, contribute to our projects on GitHub, and contact our team directly at support@garnet.ai