Merge pull request #11 from Snyk/develop

tkadlec · web-flow · commit 478377bd70b3 · 2016-11-02T11:25:04.000-05:00
Merge latest changes from develop
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,13 @@
+Copyright 2016 Snyk Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/README.md b/README.md
@@ -9,25 +9,21 @@
 
 Around 14% of npm packages carry a known vulnerability, and new vulnerabilities are being [discovered every day](https://snyk.io/vuln). The Serverless Snyk plugin helps you keep your application secure by allowing you to check the Node.js dependencies in your [Serverless](https://github.com/serverless/serverless) app for known vulnerabilities using [Snyk](https://snyk.io).
 
+[Read more about Serverless security and how vulnerable open source packages affect it on the Snyk blog.](https://snyk.io/blog/Serverless-Security-Vulnerabilities/)
+
 For Serverless v1 only.
 
 ## How do I use it?
 
-1. Install Snyk using npm
-
-    `npm install -g snyk` 
-
-2. Run `snyk wizard` in your project
-
-    To get started, you'll need to run `snyk wizard`, which will create a Snyk policy file as well as prompt you to fix any discovered vulnerabilities.
+1. Fix any existing vulnerable packages using [Snyk's GitHub integration](https://snyk.io/docs/github/) or [Snyk wizard](https://snyk.io/docs/using-snyk/#wizard).
 
-3. Install the Serverless Snyk plugin using npm
+2. Install the Serverless Snyk plugin using npm
 
    `npm install serverless-snyk --save`
 
    You should now have Serverless Snyk installed and ready to go. You can confirm that the plugin has been installed by running `serverless` from your command line. You should see the Snyk plugin in the list of installed plugins. 
 
-4. Add the plugin to your Serverless config
+3. Add the plugin to your Serverless config
 
    Next, you'll need to add the plugin to your `serverless.yml` file:
 
@@ -36,7 +32,7 @@ For Serverless v1 only.
       - serverless-snyk
    ```
 
-5. Optional: Get a Snyk API Key
+4. Optional: Get a Snyk API Key
 
    To avoid running into API rate limits and to enable [continuous monitoring](#continuous-monitoring), you'll need to [sign up for a Snyk account](https://snyk.io/auth/github) (if you don't have one already) and copy the API token from your dashboard. Detailed instructions on how to include the API token in your configuration are included in the [setting an API key](#setting-an-api-key) section below.
 
@@ -57,7 +53,7 @@ snykAuth=YOUR_API_TOKEN
 ```
 
 ### Deploying even if vulnerabilities are discovered
-By default, Serverless Snyk will stop serverless from deplying if Snyk detects any vulnerabilities in your dependencies. Each vulnerability will also be outputted, and you'll be prompted to run `snyk wizard` to address the issues. 
+By default, Serverless Snyk will stop serverless from deploying if Snyk detects any vulnerabilities in your dependencies. Each vulnerability will also be outputted, and you'll be prompted to run `snyk wizard` to address the issues. 
 
 If you would like serverless to deploy your application even if Snyk finds known vulnerabilities, you can accomplish this by using a custom variable in your `serverless.yml` file.
 
@@ -84,4 +80,4 @@ custom:
 
 ### License
 
-MIT
+[License: Apache License, Version 2.0](LICENSE)
diff --git a/index.js b/index.js
@@ -1,5 +1,6 @@
 'use strict';
 
+const fs = require('fs');
 const snyk = require('snyk/lib');
 const chalk = require('chalk');
 const BbPromise = require('bluebird');
@@ -11,6 +12,7 @@ class ServerlessSnyk {
     this.serverless = serverless;
     this.options = options;
     this.snyk = snyk;
+    this.snykCLI = 'node ./node_modules/snyk/cli';
 
     /* Defaults to be overriden in serverless.yml file */
     this.breakOnVuln = true;
@@ -45,7 +47,7 @@ class ServerlessSnyk {
   }
   auth() {
     if (process.env.snykAuth) {
-      var cmd = 'snyk auth ' + process.env.snykAuth;
+      var cmd = this.snykCLI + ' auth -api ' + process.env.snykAuth;
       try {
         var auth = execSync(cmd);
         this.serverless.cli.log(
@@ -64,7 +66,7 @@ class ServerlessSnyk {
   takeSnapshot() {
     if (this.monitor && this.authenticated) {
       try {
-        var monitor = execSync('snyk monitor');
+        var monitor = execSync(this.snykCLI + ' monitor');
         var output = monitor.toString().split('\n\n');
         for (var i = 0; i < output.length; i++) {
           if (output[i] != '\n') {
@@ -115,19 +117,29 @@ class ServerlessSnyk {
 
   protect() {
     var path = process.cwd();
-    var that = this;
-    try {
-      var protect = execSync('snyk protect');
-      that.serverless.cli.log(
-        protect.toString().replace(new RegExp('\r?\n','g'), '')
-      );
-    } catch (error) {
-      if (error.stderr) {
-        throw new that.serverless.classes.Error(error.stdout.toString());
+    var self = this;
+
+    fs.exists(path + '/.snyk', function (exists) {
+      if (exists) {
+        try {
+          var protect = execSync(self.snykCLI + ' protect');
+          self.serverless.cli.log(
+            protect.toString().replace(new RegExp('\r?\n','g'), '')
+          );
+        } catch (error) {
+          if (error.stderr) {
+            throw new self.serverless.classes.Error(error.stdout.toString());
+          } else {
+            throw error;
+          }
+        }
       } else {
-        throw error;
+        self.serverless.cli.log(
+          'No Snyk protect policy was found. Skipping updates and patches.');
+        self.serverless.cli.log(
+          'Try running `snyk wizard` to define a Snyk policy.');
       }
-    }
+    });
   }
 }
 
