Secure a Node.js Application

This guide walks you through setting up Mayo ASPM to scan, triage, and manage security findings for a Node.js application from start to finish.

---

Goal

By the end of this guide, you will have:

• A Node.js repository scanned for dependency vulnerabilities, code issues, and secrets
• Basic triage policies filtering out noise
• A project dashboard showing your security posture

Time: ~30 minutes

---

Prerequisites

• A Mayo ASPM account with admin access
• A Node.js repository on GitHub (with package.json and/or yarn.lock)
• The GitHub App installed on the repository's organization

---

Step 1 — Verify the repository is synced

1. Navigate to Assets in the left sidebar.
2. Search for your repository name.
3. If it appears, you're good. If not:
   • Go to Settings > Integrations > GitHub.
   • Click Manage repositories on GitHub.
   • Ensure your repository is selected.
   • Click Sync Now in Mayo ASPM.

---

Step 2 — Create a project

1. Navigate to Projects and click New Project.
2. Name it after your application (e.g., my-nodejs-app).
3. Click Create.
4. Open the project and click Add Assets.
5. Select your Node.js repository and click Assign.

---

Step 3 — Run your first scan

1. Open the project dashboard.
2. Click Scan Now.
3. Select all applicable scanners:
   • Grype — scans package.json, package-lock.json, and yarn.lock for known CVEs
   • Semgrep — scans JavaScript/TypeScript source code for vulnerabilities
   • Gitleaks — scans for hardcoded secrets, API keys, and tokens
4. Click Start Scan.

Scan duration

A typical Node.js repo scan takes 1-3 minutes depending on repository size. You can monitor progress on the project dashboard.

---

Step 4 — Review findings

Once the scan completes, navigate to Findings (filtered to your project):

What to expect

Scanner	Common findings in Node.js apps
Grype	Vulnerable dependencies (lodash, express, axios CVEs)
Semgrep	SQL injection, XSS, insecure regex, prototype pollution patterns
Gitleaks	Hardcoded API keys, database URLs, JWT secrets in config files

Understanding the findings view

Each finding shows:

• Title — vulnerability name or CVE ID
• Severity — critical, high, medium, low, info
• Scanner — which tool found it
• File — where in your code the issue exists
• Status — open (new finding)

---

Step 5 — Write triage policies

Most Node.js scans produce some noise. Create policies to handle it:

1. Navigate to Policies > New Policy.
2. Select kind: Triage.
3. Name: triage-nodejs-basics.
4. Paste this Rego:

package mayo.triage

import rego.v1

default decision := "defer"

# Auto-accept critical and high CVEs
decision := "accept" if {
    input.finding.severity in ["critical", "high"]
    input.finding.cve_id != ""
}

# Reject informational findings
decision := "reject" if {
    input.finding.severity == "info"
}

# Reject findings in test directories
decision := "reject" if {
    some pattern in ["/test/", "/__tests__/", "/spec/", "*.test.js", "*.spec.js"]
    contains(input.finding.file_path, pattern)
}

# Reject findings in node_modules (shouldn't appear but safety net)
decision := "reject" if {
    contains(input.finding.file_path, "/node_modules/")
}

# Reject low-severity findings with no CVE and no fix
decision := "reject" if {
    input.finding.severity == "low"
    input.finding.cve_id == ""
    input.finding.fixed_version == ""
}

1. Click Save & Activate.

---

Step 6 — Re-evaluate findings

After activating the policy, re-evaluate existing findings:

1. Navigate to Findings in your project.
2. Click Re-evaluate Triage.
3. Watch as findings are automatically accepted, rejected, or deferred.

Check the results:

Status	Expected
Confirmed (accepted)	Critical and high CVEs
Suppressed (rejected)	Info findings, test file findings, low-severity noise
Triaged (deferred)	Everything else — needs manual review

---

Step 7 — Review the dashboard

Your project dashboard now shows:

• Finding count by severity — with suppressed findings excluded
• Triage funnel metrics — automation rate, manual review needed
• Top findings — the most critical issues to address first

---

Step 8 — Take action on top findings

For each critical/high finding:

1. Click the finding to see details.
2. Review the remediation guidance (e.g., "Upgrade lodash to 4.17.21").
3. Either:
   • Fix it immediately in your code
   • Generate a Jira ticket to track the work
   • Suppress it if it's a false positive (with a reason)

---

Verification

Confirm your setup is working:

• Repository appears as an asset in your project
• Scan completed successfully with findings from all 3 scanners
• Triage policy is active and auto-categorizing findings
• Dashboard shows accurate finding counts

---

Next steps

• Set up PR scanning — catch new vulnerabilities before they're merged
• Automate triage — increase your automation rate
• Generate Jira tickets — create actionable work items