DevFlow

Security

Automatically add npm audit, Gitleaks secret scanning, Trivy vulnerability scanner, and OSV-Scanner to your Node.js project and CI pipeline. Prevent committing secrets and vulnerable dependencies.

npm audit

Dependency vulnerability check — runs npm audit as part of your workflow.

📖 Official Docs

  • ID: audit
  • Category: Security

What it does

  • Adds audit and audit:fix scripts
  • Optionally adds CI step for vulnerability checking

Gitleaks

Secret scanning — prevents committing API keys, tokens, and other secrets.

📖 Official Docs

  • ID: gitleaks
  • Category: Security

What it does

  • Creates .gitleaks.toml configuration
  • Adds a GitHub Actions workflow (.github/workflows/gitleaks.yml)
  • Configures rules for common secret patterns

Trivy

Container & filesystem vulnerability scanner — scans Docker images and project files.

📖 Official Docs

  • ID: trivy
  • Category: Security

What it does

  • Creates a trivy.yaml configuration
  • Adds CI workflow for Trivy scanning
  • Configures severity thresholds

OSV-Scanner

OSS vulnerability database — checks dependencies against the OSV (Open Source Vulnerability) database.

📖 Official Docs

  • ID: osv-scanner
  • Category: Security

What it does

  • Adds OSV-Scanner GitHub Actions workflow
  • Configures scanning for package-lock.json / pnpm-lock.yaml

Releases

Automate versioning, CHANGELOG generation, Git tagging, and npm publishing with release-it or Changesets. DevFlow configures semantic versioning for both single-package projects and monorepos.

Dev Environment

Automate dev environment setup: pin Node.js version with .nvmrc/Volta, create .env.example with documented variables, configure shared VSCode settings and recommended extensions, and add Dev Container support.

On this page

npm auditWhat it doesGitleaksWhat it doesTrivyWhat it doesOSV-ScannerWhat it does