Detecting Vulnerabilities and Sharing Results via Email
This guide outlines how to utilize the Safety CLI tool for detecting vulnerabilities within your project dependencies and automatically sending an email notification when vulnerabilities are detected.
This process involves configuring a policy file to define the behavior of the scan and crafting a command to execute the scan and send the email based on the scan results.
Configuring the Policy FileTo begin, generate a policy file that will dictate how the Safety CLI scanner operates. This policy file allows for customization of the scanning process, including setting parameters that prevent the scan from failing with an exit code when vulnerabilities are detected.
Follow these steps:
Generate a new policy file by running:
Open the generated
.safety_policy.yml
file and modify it as follows to prevent the scanner from exiting with a failure code due to detected vulnerabilities:
Place this .safety_policy.yml
at the root of your project directory. For more detailed information on Safety CLI's policy file and its configurations, refer to the official documentation.
Running the Scan and Emailing Results
The following command combines scanning for vulnerabilities and conditionally sending an email if any vulnerabilities are found. The process is as follows:
Scan Execution: The Safety CLI tool is executed with a specified API key and stage. The results are saved in both JSON and human-readable text formats.
Vulnerability Detection: The
jq
tool is used to parse the JSON output to check for any known vulnerabilities.Email Notification: If vulnerabilities are detected, an email is sent with the contents of the text report.
Execute the command below in your terminal:
The
--save-as json report.json > text_report
part saves Safety CLI results in a JSON format toreport.json
, while redirecting the standard output to be saved as human-readabletext_report
.The
jq
command checks for the presence of any vulnerabilities by examining theid
fields within the scan results. If any vulnerabilities are found (true
), the subsequent command is triggered.xargs -I {} test {} = "true"
uses the result fromjq
to conditionally proceed with sending an email if vulnerabilities are detected.The
mail
command constructs an email with the subject "Vulnerabilities found" and the content oftext_report
, sending it to the specified email address.The
|| true
ensures that, regardless of the exit codes in the pipe, the command sequence exits with a status code of0
to prevent interrupting any automated pipelines due to a failure status.
Alternative Approaches
While the above command provides a quick and integrated solution for scanning and alerting, it's possible to incorporate this logic into a script for more complex workflows or to enhance readability and maintainability.This guide aims to facilitate a seamless integration of vulnerability scanning and notification within your CI/CD pipeline, ensuring that your team is promptly informed of any security issues detected in your project dependencies.
Last updated