IAST Security Controls - Node.js

[CarlesDD]

What does this PR do? What is the motivation?

Updates IAST security controls documentation with Node.js information:

• Compatibility requirements
• Examples

Merge instructions

Merge readiness:

• Ready for merge

Merge queue is enabled in this repo. To have it automatically merged after it receives the required reviews, create the PR (from a branch that follows the <yourname>/description naming convention) and then add the following PR comment:

/merge

Additional notes

[github-actions]

Preview links (active after the build_preview check completes)

Modified Files

• https://docs-staging.datadoghq.com/carles.capell/nodejs-security-controls/security/code_security/iast/security_controls/

[urseberry]

Can you explain this line in more words? I'm having trouble understanding it. In particular, what do you mean by "ends with that path?"

Is the sentence telling people how to make sure all of their security controls, including ones from transitive dependencies, are evaluated?

[simon-id]

From what I understand this sentence is explaining our internal implementation of the security control path finding algorithm. Instead we should probably explain the implications of this implementation:

Suggested change

	As long as the `node_modules` folder is present in the file path of a security control definition, all files whose file path ends with that path are evaluated as such.
	Because of npm's flat dependency structure, it is not possible to differentiate between a direct dependency and a transitive dependency. This means if one dependency is [defined in a security control, not sure how to word that], all instances of that dependency (direct or transitive), will be affected.

[CarlesDD]

Thanks @simon-id. I've adjusted your suggestion and committed the changes.

@urseberry could you check it?

[simon-id]

lgtm