Scan Your Code Dependencies for Vulnerabilities (SCA)
Description
Vulnerable code dependencies can cause a range of problems for your project. Jit integrates dependency checkers (SCA tools) to CI/CD to automatically scan the full code base and every new Pull Request.
Jit also automatically runs daily security checks to ensure the dependency of your code over the last 24 hours. To receive zero-day notifications and recommended remediation actions, integrate Jit with Slack.
Language | Package manager | Tool | Detection | Fix guidelines | Remediation |
---|---|---|---|---|---|
JavaScript | npm | npm-audit | Yes | Yes | - |
Python | pip | OSV-scanner | Yes | Yes | Yes |
Python | Poetry | OSV-scanner | Yes | Yes | - |
PHP | Composer | OSV-scanner | Yes | Yes | - |
Go | dep, go mod | Nancy | Yes | - | - |
C# | Nuget | Trivy | Yes | Yes | - |
Java | Maven | OSV-scanner | Yes | Yes | - |
Java | Gradle | Jit Gradle Scanner | Yes | Yes | - |
Monorepo support
Additional configuration steps are required to enable dependency scanning via npm-audit within monorepos. For complete instructions, see Monorepo Support.
Fix Guidelines
When Jit detects a vulnerable package, it searches for a newer version free from that vulnerability. If found, Jit will recommend the specific version you should update to. These recommendations are provided in the form of guidelines within a Pull Request.
Remediation
For some languages and package managers, Jit can auto-generate fix code that resolves the finding. Remediation is made available in two modes:
- Remediation in a Pull Request, whereby the suggested code is displayed in the PR itself, and the developer can accept it by clicking Commit suggestion.
- Remediation from the Actions page, whereby the user views the finding in the Jit Platform and clicks the Create a Fix PR button to generate a new Pull Request which introduces the fix code. In the SCM, the developer will review the newly created Pull Request and merge it to apply the fix.
- In the Actions page, whereby the user clicks the Create a Fix PR button to create a new Pull Request with the fix code.
The Pull Request is then created.
The developer can review the fix itself and merge it to apply the fix.
Missing
name
property in NPM issuesIf the name property is missing in the Package JSON file, in the Package Lock JSON file the name in the Name properties field is opt by default.
Updated 5 months ago