Skip to main content
Version: 5.0.0

NCM Operations

Overview

The NCM integration with GitHub (Gates/Deployment protection rules) provides users with a tool to ensure the quality and security of their dependencies. This integration catches issues early in the development process, reducing the risk of security vulnerabilities.

NCM GitHub App Integration

Users can add the NCM - NodeSource GitHub App (Gates/Deployment protection rules) to their repositories through the GitHub Marketplace. Once added, the NCM App will analyze each pull request/deployment and send a report to the accounts portal. The NCM app only works for public repos inside of an organization.

ncmapp

NCM Github Configuration

To properly configure and use the NCM application, users must install it as an organization and this organization must have at least one public repository. The NCM option must be selected in the deployment rules found in the repository settings.

ncmapp

Once the deployment rule is in place users can start using the NCM app !

NCM Operations (Accounts Portal)

In the accounts portal, users can view the results of NCM's analysis for each action (Pull Request or Deployment) in their repositories. This section provides a summary of the analysis as well as a more detailed report.

ncmops

To see the detailed report, click on the "View Details". This will redirect users to the page where users can view the detailed report.

ncmdetails

Deployment Approval

NCM validates every deployment flow configured in GitHub and approve or reject it according to NCM's configured rules. If the deployment is rejected, NCM will provide a detailed report explaining the reasons for rejection. NCM will be triggered by webhook events from GitHub and will analyze the deployment based on the configured rules for NCM.

NCM Pull Request Checks

NCM checks each pull request created in a repository with the NCM GitHub App installed. NCM will attach a report marking the pull request status green or red based on the issues found. The report will provide recommendations on how to fix them.

Security

The NCM GitHub App is registered with GitHub using OAuth2 authentication to ensure only authorized users can access the App. The App will also use a private key to sign all requests, ensuring that only GitHub can send requests to the App.

The NCM App will have only read access to the repositories it is installed on, and only read access to the pull requests and deployments in those repositories. This ensures it cannot access sensitive data or make unauthorized changes.