dustilock
Dustilock is a dependency vulnerability scanner that analyzes your dependencies for known security vulnerabilities and checks if there are newer, safer versions available. It scans various dependency files (package.json, requirements.txt, etc.) and provides alerts about vulnerable packages in your project, helping you maintain secure dependencies by identifying outdated packages with known CVEs.
Key Features:
- Multi-Package Manager Support: Analyzes dependencies from npm, pip, composer, Maven, Gradle, and other popular package managers
- Lock File Analysis: Deep inspection of lock files to identify exact vulnerable versions and transitive dependencies
- Real-Time Vulnerability Database: Uses up-to-date vulnerability databases to detect the latest security issues
- Supply Chain Security: Identifies compromised or malicious packages in the dependency tree
- SARIF Output: Modern security report format for integration with development platforms and security tools
- Detailed Reporting: Comprehensive reports with vulnerability details, severity scores, and remediation guidance
- Version Upgrade Suggestions: Recommends safer, newer versions to resolve vulnerabilities
- Transitive Dependency Analysis: Scans both direct and indirect dependencies for comprehensive coverage
- Policy Enforcement: Configurable security policies to block builds with critical vulnerabilities
dustilock documentation
- Version in MegaLinter: 1.2.0
- Visit Official Web Site
Configuration in MegaLinter
- Enable dustilock by adding
REPOSITORY_DUSTILOCK
in ENABLE_LINTERS variable - Disable dustilock by adding
REPOSITORY_DUSTILOCK
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_DUSTILOCK_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_DUSTILOCK_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_DUSTILOCK_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
REPOSITORY_DUSTILOCK_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_DUSTILOCK_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_DUSTILOCK_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_DUSTILOCK and its pre/post commands | None |
REPOSITORY_DUSTILOCK_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_DUSTILOCK_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_DUSTILOCK_CLI_EXECUTABLE | Override CLI executable | ['dustilock'] |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
![]() |
all | Default MegaLinter Flavor | 127 | |
security | Optimized for security | 24 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
dustilock is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using dustilock configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make dustilock analyze only updated files
Example calls
dustilock
Help content
usage: DustiLock [-h|--help] [-r|--recursive] [-a|--audit] [-p|--path
"<value>"]
a tool to find which of your dependencies is susceptible to
Dependency Confusion attack
Arguments:
-h --help Print help information
-r --recursive scan all files recursively
-a --audit audit only mode
-p --path the path to scan. default is cwd
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=github-tags depName=checkmarx/dustilock
ARG REPOSITORY_DUSTILOCK_VERSION=1.2.0
FROM golang:alpine AS dustilock
ARG REPOSITORY_DUSTILOCK_VERSION
RUN apk add --no-cache git && GOBIN=/usr/bin go install github.com/checkmarx/dustilock@v${REPOSITORY_DUSTILOCK_VERSION}
COPY --link --from=dustilock /usr/bin/dustilock /usr/bin/dustilock