Skip to content

garnet-org/sandbox

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

listen.dev demos

lstn Release Notes

Understand your dependencies through behavioral monitoring & prevent supply chain attacks before they impact you. ⚡

🐬 Intro

This repo demonstrates an end-to-end workflow for using lstn with JS/TS projects ie.

  1. Scanning a project's dependencies automatically at every change
  2. Getting results (verdicts) inside dev workflows
  3. Customizing alerts and defining rule-based policy controls (preview)

It uses the action which is recommended for GitHub-based CI workflows. However, lstn can be integrated with any CI system through the CLI (see example workflow).

🪜 Step-by-step guide

1) Invoking a scan

As is, any pull-request event on this repo will invoke a scan. Simply create a PR with your desired dependency changes in package.json.

2) Viewing results

View verdicts in PR comments and logs for the workflow.

See demo video.

3) Customizing alerts (optional)

  • The rules.yml file contains a list of pre-defined jq expressions, which can be piped with lstn outputs to enforce policy.
  • Setting the rule-name option to a name from the list (e.g. block_priority medium) will enforce that rule.
  • You can also ignore certain behaviors, which means that CI won't be halted even if that rule condition is met.

Some examples:

 # Ignore medium priority detections 

 - name: ignore_priority_medium
   query: .[] | select(.verdicts[]?.priority == "medium")
   behavior: ignore
   
 # Halt CI if any outbound network connection is detected

 - name: block_network_connection
   query: .[] | .verdicts[]? | select(.message == "unexpected outbound connection destination")

🧰 Supported platforms

lstn currently supports JavaScript/TypeScript through the npm package manager. We're constantly expanding our ecosystem support, please reach out if you have any specific requests.

📖 Documentation

Read about our detection approach, issue coverage and other concepts at docs.listen.dev

🔗 Connect with listen.dev tribe

Hang out with us on Discord, contribute to our projects on GitHub, and contact our team directly at [email protected]

dolphin-3