Executable Tutorial: Submission (maxisr-raeef)

[Blezie]

Assignment Proposal

Title

Dependency Management and Security Auditing in npm with Snyk + GitHub Actions

Names and KTH ID

• Max Israelsson ([email protected])
• Rafael Bechara ([email protected])

Deadline

• Task 3

Category

• Executable Tutorial

Description

We will guide users through managing, checking, and securing npm dependencies. The tutorial will start with using npm audit for basic vulnerability detection. We will then show how to add Snyk for better scanning and analysis. We'll also include a section on how to integrate this with GitHub Actions, showing how to create the necessary YAML files.

We want to create this executable tutorial with Killercoda.

Relevance

This is relevant for DevOps because keeping dependencies secure makes the software safer and more reliable, which can help prevent issues from reaching production.

The executable tutorial can be found at Killercoda and at Github

[marcusalstrom]

Would love to give you guys feedback on this!

[javierron]

@Blezie Thanks for the submission. You need to resolve the conflicts before I can merge.

[Blezie]

@javierron The conflict should now be resolved.

[marcusalstrom]

Feedback

I certify that generative AI, incl. ChatGPT, has not been used to write this feedback. Using generative AI without permission is considered academic misconduct.

Strengths

• Well-defined learning outcomes: You explain the learning outcomes and how DevOps aligns with them very well. Ontop of this npm is something that is used very often, so you definitely reach a larger audience.

• Good flow and structure: The flow of the tutorial is excellent. I really like that you begin at a higher level and only explain the tools in more detail as they come instead of introducing everything in detail all at once. This gives the reader a great background before jumping into the steps of the tutorial. The language you use is also very pedagogical with less focus on technicalities and more focus on teaching.

• Easy to follow commands: You explain all commands very well, including all the flags used and why. To add to this, you also provide all the commands needed to complete the tutorial, even things such as creating a file which ensures that people with less knowledge can still follow the tutorial from start to finish. It’s like the tutorial has training wheels, but I don’t feel embarrassed to use them!

Weaknesses & suggestions

• Learning outcome for GitHub Actions: Overall, your learning outcomes are very clear. However, for someone not too familiar with GitHub Actions, I could see the last part of setting up Snyk in your workflows being a bit combersume. Extending on this part by either linking to other resources or with figures explaining the process of setting up GitHub actions could've been beneficial to really emphasize the GitHub Actions intended learning outcome.

• Fixing vulnerabilities using Snyk: You mentioned in the introduction that we will "learn how to manage, check, and secure npm dependencies". You also mention in Key Tools and Concepts that Snyk can "automatically find and fix vulnerabilities". Based on this I would assume that there would be some part explaining how you could actually fix these vulnerabilities using Snyk but unfortunately that never showed up. Then again this was never proposed in the learning outcomes, so it’s more a case of the introduction setting slightly unrealistic expectations.

• Technical issue: When running npm install -g snyk during step 2 I'm met with a permission error and npm compatability warning. However, snyk still works, so it luckily doesn't actually affect the end result. It appears that [email protected] is incompatible with npm version 6.14.4. Maybe this is just on my side but if this is intended, I think it would be good to inform the user of why all these errors/warnings appears in the terminal.

Last couple of lines from the error message:

npm WARN `otsup Unsupported engine for [email protected]: wanted: {"node":">=12"} (current: {"node":"10.19.0","npm":"6.14.4"})
npm WARN notsup Not compatible with your version of node/npm: [email protected]

Smaller details

• I noticed you did reveal your own API key for Snyk. I do understand why you provide it based on the grading criteria stating that the tutorial should not require an account. Just make sure to remove it after the course is done!

• Would've also been nice to provide some examples on vulnerabilities that Snyk can detect but npm audit cannot. The only real benefit of using Snyk, based on the tutorial, was that you could utilize monitoring.

Summary

Overall a very good executive tutorial. I managed to run it from the beginning to end first try without any major issues. Although the tutorial does not dvelve super deep into any one tool I still got valuable insights into how I can use them and the capabilities of tools such as Snyk, something I hadn’t encountered before, along with GitHub Actions to see the security state of my project. P.S., yes I did find your Easter egg! :)