Skip to content

feat: add pnpm audit security test#23

Merged
ant-gferreira merged 5 commits into
mainfrom
feat/pnpm-audit
Jun 9, 2026
Merged

feat: add pnpm audit security test#23
ant-gferreira merged 5 commits into
mainfrom
feat/pnpm-audit

Conversation

@ant-gferreira

@ant-gferreira ant-gferreira commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds pnpmaudit as a new Language-type security test for JavaScript repos using pnpm, alongside the existing npmaudit (npm) and yarnaudit (yarn).

Detection Strategy

In-cmd detection — the shell script checks for pnpm-lock.yaml and silently skips if not found, matching the existing npm/yarn pattern. All three tests run in parallel via errgroup; the wrong package manager test produces empty output.

Lockfile Awareness Fix

All three JS audit tests are now mutually aware of each other's lockfiles:

  • npm audit only emits ERROR_PACKAGE_LOCK_NOT_FOUND when neither yarn.lock nor pnpm-lock.yaml exists
  • yarn audit only emits ERROR_YARN_LOCK_NOT_FOUND when neither package-lock.json nor pnpm-lock.yaml exists
  • pnpm audit only emits ERROR_PNPM_LOCK_NOT_FOUND when neither package-lock.json nor yarn.lock exists

When all three report lockfile-not-found (no lockfile in the repo), the 3 individual LOW vulns are coalesced into a single HIGH vuln — because HuskyCI genuinely cannot audit the repo's dependencies.

Files Changed

Layer Files What
Config api/config.yaml pnpmaudit block + mutual lockfile checks
API types api/types/types.go HuskyCIPnpmAuditOutput in JavaScriptResults
API context api/context/context.go PnpmAuditSecurityTest field + wiring
API seeding api/util/api/api.go Registration + seeding
Parser api/securitytest/pnpmaudit.go New — analyzer with advisories JSON key
Dispatch api/securitytest/securitytest.go Dispatch map + PnpmLockNotFound field
Routing api/securitytest/run.go Const + vulnOutput + coalescing logic
API tests api/securitytest/pnpmaudit_test.go New — 5 parser tests
API tests api/securitytest/run_test.go 2 coalescing tests
Client types client/types/types.go, client/types/pnpmaudit.go Mirrored types + Summary
Client output client/analysis/output.go Print + summary aggregation
Client tests client/analysis/output_pnpmaudit_test.go New — 2 output tests
SonarQube client/integration/sonarqube/sonarqube.go Collection for SQ
Docker deployments/dockerfiles/pnpmaudit/Dockerfile Newnode:alpine + pnpm@11.5.2
CLI cli/analysis/analysis.go Add pnpmaudit to JS tool list
Docs README.md Language table + disable flag + scanner pods
Plan docs/plans/2026-06-08-pnpm-audit.md Full implementation plan

Test Results

  • 92 API tests pass (incl. 5 pnpm parser + 2 coalescing)
  • 18 client tests pass (incl. 2 pnpm output tests)
  • All existing tests unaffected

Post-Merge (Phase C — separate PRs)

  • Build + push huskyci-pnpmaudit Docker image to ECR
  • Create ECR repository
  • Rebuild API image (config.yaml baked in)
  • Rebuild client image
  • Update k8s-infrastructure-live values.yaml
  • Update .github anotaai-sast.yml client image tag

@ant-gferreira
docs: add implementation plan for pnpm audit security test
06c27fb
@ant-gferreira
feat: add pnpm audit security test
1b4b951 
Adds pnpmaudit as a Language-type security test for JavaScript repos
using pnpm. Uses in-cmd detection (checks pnpm-lock.yaml, silent skip
if not found) matching the existing npm/yarn audit pattern.

14 touchpoints across API, client, and Docker:
- api/config.yaml: pnpmaudit block with image huskyci/pnpmaudit:11.5.2
- api/types/types.go: HuskyCIPnpmAuditOutput in JavaScriptResults
- api/context/context.go: PnpmAuditSecurityTest + SetOnceConfig wiring
- api/util/api/api.go: seeding + checkSecurityTest registration
- api/securitytest/pnpmaudit.go: parser with advisories JSON key
- api/securitytest/securitytest.go: dispatch map entry
- api/securitytest/run.go: const + vulnOutput routing
- api/securitytest/pnpmaudit_test.go: 4 parser unit tests
- client/types/types.go: mirrored JavaScriptResults + Summary
- client/types/pnpmaudit.go: client-level PnpmAuditOutput types
- client/analysis/output.go: print + summary + exit-code via FoundVuln
- client/analysis/output_pnpmaudit_test.go: 2 output tests
- client/integration/sonarqube/sonarqube.go: collection for SQ
- deployments/dockerfiles/pnpmaudit/Dockerfile: node:alpine + pnpm@11.5.2
@ant-gferreira
fix: make JS audit tests mutually aware of all lockfiles
f014a52 
All three JS security tests (npm, yarn, pnpm) now check for ALL
recognized lockfiles before emitting a lockfile-not-found error.
Previously npm and yarn only checked each other, so pnpm repos got
false LOW vulns from both.

Changes:
- config.yaml: npm/yarn else-branches now also check pnpm-lock.yaml;
  pnpm audit gains an else-branch checking package-lock.json + yarn.lock
- securitytest.go: add PnpmLockNotFound field to SecTestScanInfo
- pnpmaudit.go: detect ERROR_PNPM_LOCK_NOT_FOUND, set flag, emit low vuln
- run.go: RunAllInfo tracks all three lockfile-not-found flags;
  coalesceJsLockfileErrors() replaces 3 LOW vulns with 1 HIGH vuln
  when no lockfile exists at all
- Tests: 5 pnpm parser tests + 2 coalescing tests (all-three, not-all)
@ant-gferreira
docs: add pnpm audit to README and CLI tool list
6c06c4f
@ant-gferreira ant-gferreira requested a review from a team as a code owner June 9, 2026 00:02
@ant-gferreira
fix: add PnpmAuditSecurityTest to context test expected struct
5dd5931 
The GetAPIConfig test compares a hardcoded expected struct against
the actual APIConfig. Since PnpmAuditSecurityTest was added to the
struct, the test expected it to be nil but the production code now
populates it from config.
@ant-gferreira ant-gferreira merged commit e640140 into main Jun 9, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ant-gferreira