efdbe3b54f
### What does this PR do? Fixes #22014 todo: - [x] not spawn sync - [x] better comm to subprocess (not stderr) - [x] tty - [x] more tests (also include some tests for the actual implementation of a provider) - [x] disable autoinstall? Scanner template: https://github.com/oven-sh/security-scanner-template <!-- **Please explain what your changes do**, example: --> <!-- This adds a new flag --bail to bun test. When set, it will stop running tests after the first failure. This is useful for CI environments where you want to fail fast. --> --- - [x] Documentation or TypeScript types (it's okay to leave the rest blank in this case) - [x] Code changes ### How did you verify your code works? <!-- **For code changes, please include automated tests**. Feel free to uncomment the line below --> <!-- I wrote automated tests --> <!-- If JavaScript/TypeScript modules or builtins changed: - [ ] I included a test for the new code, or existing tests cover it - [ ] I ran my tests locally and they pass (`bun-debug test test-file-name.test`) --> <!-- If Zig files changed: - [ ] I checked the lifetime of memory allocated to verify it's (1) freed and (2) only freed when it should be - [ ] I included a test for the new code, or an existing test covers it - [ ] JSValue used outside of the stack is either wrapped in a JSC.Strong or is JSValueProtect'ed - [ ] I wrote TypeScript/JavaScript tests and they pass locally (`bun-debug test test-file-name.test`) --> <!-- If new methods, getters, or setters were added to a publicly exposed class: - [ ] I added TypeScript types for the new methods, getters, or setters --> <!-- If dependencies in tests changed: - [ ] I made sure that specific versions of dependencies are used instead of ranged or tagged versions --> <!-- If a new builtin ESM/CJS module was added: - [ ] I updated Aliases in `module_loader.zig` to include the new module - [ ] I added a test that imports the module - [ ] I added a test that require() the module --> tests (bad currently) --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Dylan Conway <dylan-conway@users.noreply.github.com> Co-authored-by: Dylan Conway <dylan.conway567@gmail.com> Co-authored-by: Jarred Sumner <jarred@jarredsumner.com>
2.4 KiB
Bun's package manager can scan packages for security vulnerabilities before installation, helping protect your applications from supply chain attacks and known vulnerabilities.
Quick Start
Configure a security scanner in your bunfig.toml:
[install.security]
scanner = "@acme/bun-security-scanner"
When configured, Bun will:
- Scan all packages before installation
- Display security warnings and advisories
- Cancel installation if critical vulnerabilities are found
- Automatically disable auto-install for security
How It Works
Security scanners analyze packages during bun install, bun add, and other package operations. They can detect:
- Known security vulnerabilities (CVEs)
- Malicious packages
- License compliance issues
- ...and more!
Security Levels
Scanners report issues at two severity levels:
fatal- Installation stops immediately, exits with non-zero codewarn- In interactive terminals, prompts to continue; in CI, exits immediately
Using Pre-built Scanners
Many security companies publish Bun security scanners as npm packages that you can install and use immediately.
Installing a Scanner
Install a security scanner from npm:
$ bun add -d @acme/bun-security-scanner
Note: Consult your security scanner's documentation for their specific package name and installation instructions. Most scanners will be installed with
bun add.
Configuring the Scanner
After installation, configure it in your bunfig.toml:
[install.security]
scanner = "@acme/bun-security-scanner"
Enterprise Configuration
Some enterprise scanners might support authentication and/or configuration through environment variables:
# This might go in ~/.bashrc, for example
export SECURITY_API_KEY="your-api-key"
# The scanner will now use these credentials automatically
bun install
Consult your security scanner's documentation to learn which environment variables to set and if any additional configuration is required.
Authoring your own scanner
For a complete example with tests and CI setup, see the official template: github.com/oven-sh/security-scanner-template