January 20, 2021 By Steven Weaver 2 min read

In this article, we’ll show you how you can quickly set up Code Risk Analyzer to scan a simple Node.js app in your Git repo.

Code Risk Analyzer — a part of IBM Cloud Continuous Delivery — takes all of your Git-based code, configurations and deployment artifacts, builds a dependency graph and runs a pipeline of regulatory compliance control checks. It is embedded into existing development workflows, such as creating a change request or promoting a code change into the main development branch. It integrates the comprehensive security coverage and rich threat intelligence provided by Snyk and other sources to help developers automatically find, prioritize and fix vulnerabilities in open-source dependencies and containers, early in their workflow.

Setting up your toolchain

Code Risk Analyzer supports the Java™, Node.js and Python languages. For Node.js, dependencies are calculated by using the following files:

  • package-lock.json: The purpose of the file is to provide a manifest that calls out the exact version of every package in your tree the last time you ran npm install. It’s this file that Code Risk Analyzer uses to identify package dependencies in your code.
  • deployment.yml: This file specifies all the parameters involved in deploying your application to the Kubernetes cluster. This file is scanned for any misconfigurations or potential security or compliance issues, based on community and industry standards.
  • dockerfile: A dockerfile is a recipe for building Docker images, and the act of running a build command produces the image from that recipe. Code Risk Analyzer scans the dockerfile for OS and image dependencies which are then checked against known vulnerabilities.

To scan your repository, follow these steps (for more details, see the Code Risk Analyzer documentation):

  1. Use the Build your own toolchain template to create an empty toolchain. Note that currently, Code Risk Analyzer is available only in the Dallas region.
  2. Add the DevOps Insights tool integration to the toolchain.
  3. Add the code repo that contains the code you want to scan to the toolchain. For example, add a GitHub or GitLab repo.
  4. Create an API key to authenticate with Code Risk Analyzer.
  5. Create and configure a Tekton pipeline.
  6. Create a new Merge/Pull request in your repo. When the request is submitted, Code Risk Analyzer will automatically run a Tekton delivery pipeline to scan your repo. 
  7. Results of the scan will be shown in your Merge/Pull Request. 

Watch the how-to video

More resources and getting started

Code Risk Analyzer is included as part of IBM Cloud Continuous Delivery and is available in the IBM Cloud Dallas (US-South) region.

  • Read the IBM Research blog on Code Risk Analyzer.
  • For more information on Code Risk Analyzer, see the documentation
  • If you have any questions, get help directly from the IBM Cloud development teams by joining us on Slack.
Was this article helpful?
YesNo

More from Cloud

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters