{"id":16208425,"url":"https://github.com/g-rath/audit-app","last_synced_at":"2026-01-15T22:48:45.768Z","repository":{"id":43202748,"uuid":"284416184","full_name":"G-Rath/audit-app","owner":"G-Rath","description":null,"archived":false,"fork":false,"pushed_at":"2024-06-17T23:56:35.000Z","size":1290,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-15T17:07:29.670Z","etag":null,"topics":["advisories","audit-report","auditing","ignored-vulnerabilities","json","npm","npm-audit","pnpm","pnpm-audit","vulnerabilities","yarn","yarn-audit"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/audit-app","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/G-Rath.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-08-02T07:47:42.000Z","updated_at":"2024-06-17T23:56:38.000Z","dependencies_parsed_at":"2024-10-27T20:25:36.508Z","dependency_job_id":"3556856a-d269-4f54-9099-835271fb453a","html_url":"https://github.com/G-Rath/audit-app","commit_stats":{"total_commits":117,"total_committers":3,"mean_commits":39.0,"dds":"0.19658119658119655","last_synced_commit":"26221b19b0792a76a182dc0f0c9ae1eb16748e47"},"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/G-Rath%2Faudit-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/G-Rath%2Faudit-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/G-Rath%2Faudit-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/G-Rath%2Faudit-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/G-Rath","download_url":"https://codeload.github.com/G-Rath/audit-app/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246911467,"owners_count":20853658,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["advisories","audit-report","auditing","ignored-vulnerabilities","json","npm","npm-audit","pnpm","pnpm-audit","vulnerabilities","yarn","yarn-audit"],"created_at":"2024-10-10T10:16:54.337Z","updated_at":"2026-01-15T22:48:45.736Z","avatar_url":"https://github.com/G-Rath.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# audit-app\n\n\u003e While `audit-app` is not officially deprecated, we strongly recommend using\n\u003e [`osv-detector`](https://github.com/G-Rath/osv-detector) instead - it does the\n\u003e exact same thing, only better! (and faster too)\n\nA cli tool for auditing apps \u0026 packages using their respective package managers,\noutputting the results in a form that makes it easy to triage advisories, and\nproviding support for ignoring advisories to keep your CI passing without having\nto sacrifice security.\n\n# NPM 7 workspaces\n\nWorkspaces (which are new in `npm@7`) should be supported at about the same\nlevel as `npm audit` itself supports them; standard dependencies should be just\nfine, but there may be edge-cases with `file:` dependencies due to limitations\nin resolving the dependency tree for these types of dependencies which affect\n`npm` itself.\n\nFor `audit-app`, these edge-cases _should_ primarily manifest as some\nvulnerabilities technically being reported twice, which shouldn't prevent using\n`audit-app`.\n\nIf you have any other issues with workspaces, please let us know!\n\nAlso note that if you have a `file:` dependency that has the same name as a\npublished `npm` package (e.g. `debug`), `npm` will assume it is that published\npackage and so mark it affected by any advisories that may exist for the\ndependencies version.\n\n# Getting Started\n\nTo run `audit-app` as a once-off against an app, you can use `npx`:\n\n    npx audit-app\n\nIf you want to use `audit-app` regularly as part of your local development flow,\nyou can install it globally:\n\n    npm install --global audit-app\n\n## Options\n\nAll options can be provided in either camelCase or kebab-case format. These\noptions can be set either when calling `audit-app` via the commandline, or via a\nJSON config file.\n\n## `--directory`, `--dir`, `-d`\n\nDefault: the current working directory\n\nSets the directory that `audit-app` will operate in. This effects other path\nrelated options like `--package-manager` and `--config`.\n\n    audit-app --package-manager pnpm\n\n### `--config`, `-c`\n\nDefault: `.auditapprc.json`\n\nPoints `audit-app` to the configuration file to load options from. By default\n`audit-app` will look for a file called `.auditapprc.json` in the directory that\nis being audited (which can be set using `--directory`).\n\nThe configuration file must contain standard JSON, with a top-level object, and\nwith no comments, trailing commas, or single-quotes:\n\n```json\n{\n  \"packageManager\": \"yarn\",\n  \"ignore\": [\"1179|mkdirp\u003eminimist\"]\n}\n```\n\nYou can disable loading from a config file using `--no-config.`\n\n### `--update-config-ignores`\n\nDefault: false\n\nIf provided, `audit-app` will attempt to update the config file pointed to by\n`--config` to contain an `ignore` property made up of the vulnerabilities found\nduring the audit.\n\n## `--package-manager`, `-p`\n\nDefault: `auto`  \nSupported values: `auto`, `npm`, `yarn`, `pnpm`\n\nSets the package manager `audit-app` will use to perform the audit. If set to\n`auto`, the package manager will be determined based on what lock files are\npresent in the directory being audited.\n\n## `--output`, `-o`\n\nDefault: `tables`  \nSupported values: `tables`, `summary`, `paths`, `json`\n\nSets the format that `audit-app` should use to output the audit report. Here's a\nbrief rundown of the supported formats, and their use-cases:\n\n### `summary` format\n\nOutputs the report as a summary of the vulnerabilities that were found in the\naudited app, containing details on the number of instances of packages that have\nvulnerabilities, how many packages were checked, how many vulnerabilities were\nignored, and a breakdown of the number of vulnerabilities per severity.\n\nSome of these numbers are based on values provided by the underlying package\nmanager that was used to perform the audit, so the numbers might not match with\nwhat you'd expect depending on the beliefs and implementations of the package\nmanager in use.\n\n### `tables` format\n\nOutputs the report as a collection of concise tables along with a summary of the\nreport, similar to the output of `npm audit`.\n\nUnlike `npm audit` however, the tables are per _advisory_ rather than per\n_finding path_, making the output a lot easier to manage when dealing with\nadvisories for popular packages that might appear a number of times in your\ndependency tree (i.e `lodash`).\n\nBuilding the tables based on the advisories also means that ignored paths are\nnot factored in to the table output. The number of paths for an advisory does\nnot factor into if it will be outputted as a table, be it vulnerable, ignored or\nmissing paths.\n\nHere is an example of the output the `tables` format results in:\n\n```\n┌────────────┬────────────────────────────────────────────────────────────────────┐\n│ low        │ Prototype Pollution (GHSA-p6mc-m468-83gw)                          │\n├────────────┼────────────────────────────────────────────────────────────────────┤\n│ Package    │ lodash v4.17.15, v3.10.1                                           │\n├────────────┼────────────────────────────────────────────────────────────────────┤\n│ Patched in │ \u003e=4.17.19                                                          │\n├────────────┼────────────────────────────────────────────────────────────────────┤\n│ More info  │ https://github.com/advisories/GHSA-p6mc-m468-83gw                  │\n└────────────┴────────────────────────────────────────────────────────────────────┘\n\n\n found 4327 vulnerabilities (including 0 ignored) across 693 packages\n\t  \\: 4327 low\n```\n\nInformation on the package the advisory pertains to, such as if the package is a\ndev dependency, the path(s) to the package, and what top-level package(s) lead\nto the affected package being included in the tree, are deliberately omitted as\nthis information is typically very verbose and unhelpful at time of output.\n\nUsually the easiest way to do this is by using your apps package manager with\nthe appropriate command(s) for listing details of packages in the dependency\ntree that meet a given semver constraint.\n\nFor example, if the app that produced the table output above was using `npm`,\nyou could get a tree showing what dependencies pulled in the affected versions\nof lodash with the following:\n\n    npm ls 'lodash@4.17.15||3.10.1'\n\nSimilarly, you could get a tree showing what, if any, versions of lodash existed\nin the tree that are patched by using the \"Patched in\" value:\n\n    npm ls 'lodash@\u003e=4.17.19'\n\n### `paths` format\n\nOutputs a list of paths mapping each instance of an advisory to the top-level\npackage which results in them being pulled in, in the format\n`\u003cadvisory-id\u003e|\u003cdependency-path\u003e`.\n\nSince the list is sourced from the reports `vulnerable` array rather than its\n`advisories` object, it won't include vulnerabilities that have been ignored.\n\nThis allows you to easily update your `ignore` lists, as you can copy and paste\nitems from the list directly into the config.\n\nThis becomes even more powerful when combined with standard commandline\nutilities such as `grep` \u0026 clipboard utilities.\n\nOn Mac OS X you can use `pbcopy`, and for Windows you can use `clip.exe`. Linux\nhas a few different clipboards, such as `xclip`, `gpm`, and `screen`:\n\n```shell script\naudit-app --output paths | pbcopy # on OSX\naudit-app --output paths | clip   # on Windows (including WSL)\n```\n\nNote that for Windows, `clip` works in both PowerShell \u0026 Windows System for\nLinux.\n\nFiltering can be done using `grep`:\n\n```shell script\naudit-app --output paths | grep '\u003e@commitlint/load\u003e' | clip\n```\n\nYou can `grep`-like filtering in PowerShell using `findstr`:\n\n```powershell\naudit-app --output paths | findstr '\u003e@commitlint/load\u003e' | clip\n```\n\nClipboard contents:\n\n\u003e GHSA-p6mc-m468-83gw|@commitlint/cli\u003e@commitlint/load\u003e@commitlint/resolve-extends\u003elodash\n\u003e GHSA-p6mc-m468-83gw|@commitlint/cli\u003e@commitlint/load\u003elodash\n\nIf you're using a json config, you can use `jq` to convert the output into a\nvalid JSON array that you can paste straight into your config:\n\n```shell script\naudit-app --output paths | grep '\u003e@commitlint/load\u003e' | jq -nR '[inputs]'\n```\n\nYou can do this in PowerShell like so:\n\n```powershell\n(audit-app --output paths).split('\\n') | ConvertTo-Json\n```\n\n### `json` format\n\nOutputs the report as JSON using `JSON.stringify` so that it can be easily used\nby other tools.\n\nIf you're ignoring vulnerabilities using a json config, you can pipe the output\nof the json format to a program like `jq` to pick the `vulnerable` array\n\nIf you have a lot of vulnerabilities that you wish to ignore, you can pipe the\njson output to a program like `jq` to select just the `vulnerable` array and get\na valid json array as output for your clipboard:\n\n```shell script\naudit-app --format json | jq '.vulnerable'\n```\n\nIf you wish to select only some vulnerabilities, you can use filters like so:\n\n```shell script\naudit-app --format json | jq '.vulnerable | map(select(startswith(\"GHSA-w7rc-rwvf-8q5r\")))'\naudit-app --format json | jq '.vulnerable | map(select(startswith(\"GHSA-w7rc-rwvf-8q5r\")))'\n```\n\nIf you're using Powershell, you can do this without `jq` like so:\n\n```powershell\n(audit-app --format json | ConvertFrom-Json).vulnerable | ConvertTo-Json\n```\n\n## `--ignore`, `-i`\n\nDefault: []\n\nTells `audit-app` to ignore a vulnerability when determining if the audit\nresults should result in a failed audit run.\n\nIn the context of `audit-app`, a \"vulnerability\" is an instance of an advisory,\nrepresented by a string made up of the advisory's id, and the path to the\npackage on the dependency tree that is affected by the advisory, separated by a\npipe (`|`); for example:\n\n    GHSA-abc1-123a-xyz9|mkdirp\u003eminimist\n\nYou can provide this flag multiple times to ignore multiple vulnerabilities:\n\n```shell script\naudit-app \\\n  --ignore 'GHSA-ff7x-qrg7-qggm|@commitlint/cli\u003e@commitlint/lint\u003e@commitlint/parse\u003econventional-changelog-angular\u003ecompare-func\u003edot-prop' \\\n  --ignore 'GHSA-ff7x-qrg7-qggm|@commitlint/config-conventional\u003econventional-changelog-conventionalcommits\u003ecompare-func\u003edot-prop' \\\n  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/commit-analyzer\u003econventional-changelog-angular\u003ecompare-func\u003edot-prop' \\\n  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/release-notes-generator\u003econventional-changelog-angular\u003ecompare-func\u003edot-prop' \\\n  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/release-notes-generator\u003econventional-changelog-writer\u003ecompare-func\u003edot-prop' \\\n  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/npm\u003enpm\u003elibnpx\u003eupdate-notifier\u003econfigstore\u003edot-prop' \\\n  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/npm\u003enpm\u003eupdate-notifier\u003econfigstore\u003edot-prop'\n```\n\nHowever, we recommend using an `.auditapprc.json` file to make it easier to\ntrack and update the list of ignored vulnerabilities:\n\n```json\n{\n  \"packageManager\": \"yarn\",\n  \"ignore\": [\n    \"GHSA-ff7x-qrg7-qggm|@commitlint/cli\u003e@commitlint/lint\u003e@commitlint/parse\u003econventional-changelog-angular\u003ecompare-func\u003edot-prop\",\n    \"GHSA-ff7x-qrg7-qggm|@commitlint/config-conventional\u003econventional-changelog-conventionalcommits\u003ecompare-func\u003edot-prop\",\n    \"GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/commit-analyzer\u003econventional-changelog-angular\u003ecompare-func\u003edot-prop\",\n    \"GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/release-notes-generator\u003econventional-changelog-angular\u003ecompare-func\u003edot-prop\",\n    \"GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/release-notes-generator\u003econventional-changelog-writer\u003ecompare-func\u003edot-prop\",\n    \"GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/npm\u003enpm\u003elibnpx\u003eupdate-notifier\u003econfigstore\u003edot-prop\",\n    \"GHSA-ff7x-qrg7-qggm|semantic-release\u003e@semantic-release/npm\u003enpm\u003eupdate-notifier\u003econfigstore\u003edot-prop\"\n  ]\n}\n```\n\nYou can have `audit-app` attempt to update the config for you with the\n`--update-config-ignores` flag.\n\n## How it works\n\nWhen run, `audit-app` calls the audit command of either `npm`, `yarn`, or\n`pnpm`, and parses the results, normalising the output into an \"audit report\".\n\nAn audit report is an object with the following structure:\n\n```ts\nexport interface AuditReport {\n  statistics: Statistics;\n  advisories: Advisories;\n  vulnerable: string[];\n  ignored: string[];\n  missing: string[];\n}\n```\n\nThe `statistics` property holds an object that contains optional details about\naspects of the auditing run, and it's results, such as counts on the different\npackage types that were involved (total, dev, optional, etc).\n\nThe `advisories` property is an object containing the advisories that were found\nto effect at least one package in the tree during auditing, mapped by their id.\n\nThe `vulnerable`, `ignored`, and `missing` properties are arrays which list the\nvulnerabilities that were (or in the case of `missing`, were not) found, based\non the findings for each advisory.\n\nIn the context of `audit-app`, a \"vulnerability\" is an instance of an advisory,\nrepresented by a string made up of the advisory's id, and the path to the\npackage on the dependency tree that is affected by the advisory, separated by a\npipe (`|`).\n\nAfter auditing has finished, `audit-app` runs through the findings of each\nadvisory to create a list of the vulnerabilities that exist in the app that was\njust audited, which is then cross-referenced with a list of vulnerabilities that\nshould be ignored, with any vulnerability found in both lists being removed from\n`vulnerable`. If a vulnerability is found in `ignored` that is not in\n`vulnerable`, it's moved out of the `ignored` array into `missing`.\n\nThe ignored list is populated using the `ignore` flag, which can be specified\nmultiple times:\n\n```\naudit-app \\\n  --ignore GHSA-vh95-rmgr-6w4m|mkdirp\u003eminimist\n```\n\nThere is no support for ignoring an entire advisory, because doing so would mean\nnew instances of an advisory could be introduced via an unknown path. For the\nsame reason you also cannot ignore all advisories of a specific level.\n\nWhile its possible that a very popular package could get an advisory posted\nagainst it that goes unpatch for a long period, resulting in a very large ignore\nlist, there are two things to keep in mind:\n\n1. Your configuration file represents the security health of your application -\n   the fewer vulnerabilities you need to ignore, the healthier your application\n   is. This also means you should apply the same way of thinking as you would to\n   aspects such as size, dependency count, performance, etc.\n\n2. Advisories are _known_ vulnerabilities, meaning bad actors can find out\n   exactly how to exploit a package with very little work.\n\nUltimately, in the same way that you'd consider replacing a dependency that was\ncreating a bottleneck for your application, or a dependency that was excessively\nlarge, you should consider replacing a dependency if it's making your app less\nsecure.\n\nThe `paths` output format (detailed above) can be useful in updating your\nignores list by providing a list of all the current vulnerabilities in your apps\ndependency tree that can be copied \u0026 pasted.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fg-rath%2Faudit-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fg-rath%2Faudit-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fg-rath%2Faudit-app/lists"}