Versions Compared

Old Version 25

changes.mady.by.user Michelle Friedman

Saved on

compared with

New Version 26

changes.mady.by.user Avinoam Weitman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

Overview

Mend Diffend detects and blocks malicious dependency updates.

...

Info

Mend Diffend supports Ruby (Bundler) and JavaScript (Yarn, npm, pnpm).

Configuring a New Project

Prerequisites: Register the account.

...

  1. Navigate to your organization’s projects list.

  2. Click the Setup button.

  3. In the setup view, navigate to the By applying changes manually section.

  4. To set up Mend Diffend, create a .diffend.yml file in the main directory of the project and copy-paste the configuration settings from the UI.

  5. Follow the remaining instructions specific to the package manager you are using.

Bundler setup

  1. Add our bundler plugin and our gem right after the source section of your Gemfile.

  2. bundle install and you are ready to go!

npm setup

  1. Install our Diffend package:

    Code Block
    npm install -g https://my.diffend.io/releases/npm/stable.tgz

  2. Prefix all calls to npm with diffend:

    Code Block
    diffend npm install
diffend npm i debug

  3. You can also alias all the npm commands in your shell by putting the presented code in an appropriate file (~/.bash_aliases, ~/.bashrc, ~/.zshrc, ~/.config/fish/config.fish):

    Code Block
    alias npm='diffend npm'

  4. Run npm install and that is all.

Yarn 1 setup

  1. Add our Yarn 1 plugin into your project by running the following commands:

    Code Block
    languagebash
    mkdir -p .yarn/releases
wget https://my.diffend.io/releases/yarn/1/stable.js -O .yarn/releases/diffend-stable.js
echo 'yarn-path ".yarn/releases/diffend-stable.js"' >> .yarnrc

  2. Run yarn install and you are ready to go

Yarn 2 setup

Add our Yarn 2 plugin into your project by running the following command:

  1. Code Block
    yarn plugin import https://my.diffend.io/releases/yarn/2/stable.js

  2. Run yarn install and you are ready to go!

Running Diffend Checks

Mend Diffend plugin runs automatically when the following commands are executed:

...

Info

Mend Diffend works automatically each time you run bundle commands.

Reviewing and Understanding the Security Verdicts

Security verdicts are an essential part of Mend Diffend. They ensure that all of your organization requirements in the context of each bundle operation are met. That way we can prevent the usage of packages and their versions that could cause engineering and legal harm.

...

Info

You should review any non-allow verdicts that we tell you about.

Setting up maximum verdict for particular commands

When using Mend Diffend in a legacy system, you may notice, that getting things to a stable and secure state may take a while.

...

Info

You can use our Quality Score to keep track of the improvement of your dependencies setup.

Understanding Quality Score

The Quality Score is a numeric value in between 0 and 100 that provides a quick overview of the state of your Gem file. The score is a composite of the sub-scores from each of the Guards and provides a convenient way to monitor trends in so you can take action whenever you see quality degradation.

...

Info

You can use the Quality Score to keep track of the improvements of your Gem file.

Re-running checks from the UI

When you apply changes to your configuration, you may want to check how it affects the bundling process you were running. You can either run the given command you were interested in again to see a new verdict or you can re-run the checks directly from the UI, by clicking on the Re-run checks button.

...

Info

Re-running checks is the easiest way to see how your changes will affect execution of the given command.

Continuous Integration and Delivery environment setup

Mend Diffend protects every crucial bundle command out of the box, but you can still easily set it up as a separate step within your Continuous Integration and Delivery system.

...

To set it up, please follow the instructions for the appropriate CI/CD system.

Github Actions

...

CircleCI

...

Other

If you are using a different CI system, the setup should be similar. Please contact us if you have examples of other CI systems.

Deployment and production environment setup

Mend Diffend requires minimal effort to make it work with the majority of ways you can deploy your applications. If there are no hints below for your way of deployment, it means, that all you need to do is:

...

You need to remember about setting the DIFFEND_ENV to match your environment.

...

Capistrano

Please make sure, to always run bundle install instead of running bundle check. To do so, put the following code in your deploy.rb file:

...

Info

The changes you need to make, come from limitations of the Bundler plugin system.

Docker

Please make sure, that the .diffend.yml file is included before you run any bundle commands during the container build process.

...

Info

.diffend.yml file needs to be present before running any bundle commands.

Heroku

When using Heroku, please make sure, that the .diffend.yml file is included before you run any bundle commands during the container build process.

...

Info

Heroku Buildpack for Ruby requires you to set the three environment variables mentioned above.

Notifications

Diffend monitor gem keeps track of the state of your deployment environments automatically.

...

Info

Notifications are a great way to make sure, that your team becomes aware of emerging vulnerabilities the moment they are detected.

Connecting Mend Diffend to Slack

  1. Navigate to the Notifications settings page of your organization.

  2. Press the here link visible in the information box. You will be redirected to the Slack platform settings page.

  3. Select a channel where you want Mend Diffend to post security notifications and press the Allow button.

  4. You will be redirected back to the Mend Diffend notification settings page and a Slack welcome message will be sent to your workspace channel.

Notifications events

Mend Diffend sends messages based on events that occur while protecting your applications. Below you can find a list of the events that trigger notifications, together with their short descriptions and other useful details.

Event name

Event type

Command

Environment

Description

New bundle state detected

Information

bundle exec

Other than development and test

Mend Diffend emits message based on this event whenever you deploy changed to your Gemfile that affect given environment.

Awareness of newly updated libraries deployed can help you debug when your new code presents unexpected behaviors.

New verdict detected

Warning

bundle exec

Other than development and test

Mend Diffend emits a message based on this event whenever the verdict associated with your deployment has changed.

Bundle secure execution alert

Warning

bundle secure

Any

Mend Diffend emits a message based on this event whenever there is anything in your Gemfile that requires attention.

Uninstalling

While we are sorry to see you go, we won't make things hard for you. We just kindly ask you to provide us with any feedback you might have on the reasons.

Removing Bundler plugin and gem

Due to some Bundler limitations, you will have to re-bundle your project after removing appropriate files. Just run the code below inside of your project main directory.

...

Removing Yarn 2 plugin

Due to some Yarn 2 limitations, you will have to re-run the install command after removing appropriate files. Just run the code below inside of your project main directory.

...

Questions and answers

Can the .diffend.yml file be committed into our repository version control system?

...