You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/guides/policy-diff.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ description: How to review LavaMoat Policy and its diffs
5
5
6
6
<!-- markdownlint-disable no-inline-html -->
7
7
8
-
This guide will help you review your policy on a continuous basis.
8
+
This guide will show you how to review changes to your LavaMoat Policy File.
9
9
10
10
## Why review Policy?
11
11
@@ -18,7 +18,7 @@ If you generate the initial policy from a known uncompromised version of your ap
18
18
19
19
## How to review your policy?
20
20
21
-
LavaMoat Policy is listing all powers that a package can use. That's what you'll find in`globals` and `builtin` fields.
21
+
The LavaMoat Policy lists all powers that a package can use; these are the`globals` and `builtin` fields.
22
22
It also lists which other packages are allowed for the current package to import. You can follow those relations to see whether a package with access to very [powerful APIs](#powerful-apis) is used by any suspicious packages as a dependency. See [Principle of Least Authority][PoLA]
23
23
24
24
### What to look for when reviewing a Policy diff?
@@ -32,7 +32,7 @@ The goal of reviewing the diff is to spot a malicious package being added.
32
32
- be aware that the identifier may change to `pkgC>actual-name` from `pkgB>pkgA>actual-name` BUT! If the package now also has totally different powers, it's likely a different package of the same name. Investigate! `npm ls actual-name` should help.
33
33
- when a new package is added, consider limiting its powers to what you actually use.
34
34
35
-
#### Good practices for spotting suspicious changes
35
+
#### Best Practices for Finding Suspicious Changes
36
36
37
37
First of all - you need to check if any of the packages get access to new [powerful APIs](#powerful-apis) unexpectedly.
38
38
@@ -43,7 +43,7 @@ If a package that was supposed to only be doing basic string operations is sudde
43
43
"process": false
44
44
```
45
45
46
-
to the globalsfor that package in policy-override.json
46
+
to the `globals` field for that package in `policy-override.json`.
47
47
48
48
When a new dependency shows up in `packages` field of _packageA_: look up what it's pointing to and if the dependency has access to very [powerful APIs](#powerful-apis); doublecheck whether it makes sense to you that _packageA_ would need to use it.
0 commit comments