Scan Your Code Dependencies for Vulnerabilities (SCA)

Description

Vulnerable code dependencies can cause a range of problems for your project. Jit integrates dependency checkers (SCA tools) to CI/CD to automatically scan the full code base and every new Pull Request.

Jit also automatically runs daily security checks to ensure the dependency of your code over the last 24 hours. To receive zero-day notifications and recommended remediation actions, integrate Jit with Slack.

LanguagePackage managerToolDetectionFix guidelinesRemediation
JavaScriptnpmnpm-auditYesYes-
PythonpipOSV-scannerYesYesYes
PHPComposerOSV-scannerYesYes-
Godep, go modNancyYes--
C#NugetTrivyYesYes-
JavaMavenOSV-scannerYesYes-

📘

Monorepo support

Additional configuration steps are required to enable dependency scanning via npm-audit within monorepos. For complete instructions, see Monorepo Support.

Fix Guidelines

When Jit detects a vulnerable package, it searches for a newer version free from that vulnerability. If found, Jit will recommend the specific version you should update to. These recommendations are provided in the form of guidelines within a Pull Request.

Inline Remediation Guidelines in a Pull Request

Inline Remediation Guidelines in a Pull Request

Remediation

For some languages and package managers, Jit can auto-generate fix code that resolves the finding. Remediation is made available in two modes:

  1. Remediation in a Pull Request, whereby the suggested code is displayed in the PR itself, and the developer can accept it by clicking Commit suggestion.
Inline Remediation in a Pull-Request

Inline Remediation in a Pull Request

  1. Remediation from the Actions page, whereby the user views the finding in the Jit Platform and clicks the Create a Fix PR button to generate a new Pull Request which introduces the fix code. In GitHub, the developer will review the newly created Pull Request and merge it to apply the fix.
  2. In the Actions page, whereby the user clicks the Create a Fix PR button to create a new Pull Request with the fix code.
Available Remediation in the Actions Page

Available Remediation in the Actions Page

The Pull Request is then created in GitHub.

Fix Pull Request Created by Jit

Fix Pull Request Created by Jit

The developer can review the fix itself and merge it to apply the fix.

Viewing the Code Change

Viewing the Code Change

📘

Missing name property in NPM issues

If the name property is missing in the Package JSON file, in the Package Lock JSON file the name in the Name properties field is opt by default.