🇫🇷 Version française

Lab 03: Lockfile Integrity & Policy Checks

Duration Level Prerequisites
30 min Intermediate Lab 02

Learning Objectives

  • Run apm audit --ci lockfile verification
  • Understand the 6 baseline checks and 16 policy checks
  • Detect unpinned dependencies and missing lockfiles

Exercise 1: Check App 005 (Missing Lockfile)

Working Directory: Run the following commands from the apm-security-scan-demo-app repository root.

cd apm-demo-app-005
apm audit --ci

This should fail because app 005 has no apm.lock.yaml committed.

Lockfile missing

Exercise 2: Generate a Lockfile 

apm install

Then re-run the audit:

apm audit --ci

Exercise 3: Review Policy Configuration 

Get-Content ..\src\config\apm-policy.yml

Policy config

Exercise 4: SARIF Output 

apm audit --ci -f sarif -o apm-lockfile-results.sarif

Verification Checkpoint

  • apm audit --ci detects the missing lockfile in app 005
  • You understand the 6 baseline checks
  • You can interpret lockfile-related SARIF findings

Next Steps

Proceed to Lab 04: Semantic Pattern Scanner.

This site uses Just the Docs, a documentation theme for Jekyll.