https://github.com/nashaddams/audit
Audit JSR, deno.land, NPM, and ESM packges with Deno
https://github.com/nashaddams/audit
audit auditing deno esm jsr npm
Last synced: 28 days ago
JSON representation
Audit JSR, deno.land, NPM, and ESM packges with Deno
- Host: GitHub
- URL: https://github.com/nashaddams/audit
- Owner: nashaddams
- License: mit
- Created: 2024-12-17T13:06:08.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2025-03-25T17:41:44.000Z (about 1 month ago)
- Last Synced: 2025-03-25T18:37:09.355Z (about 1 month ago)
- Topics: audit, auditing, deno, esm, jsr, npm
- Language: TypeScript
- Homepage: https://jsr.io/@nashaddams/audit
- Size: 395 KB
- Stars: 3
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: .github/SECURITY.md
Awesome Lists containing this project
README
# audit
[](https://jsr.io/@nashaddams/audit)
[](https://jsr.io/@nashaddams/audit)
[](https://github.com/nashaddams/audit/actions)
A tool for auditing [JSR](https://jsr.io), [deno.land](https://deno.land/x),
[NPM](https://www.npmjs.com), and [ESM](https://esm.sh) packages with
[Deno](https://deno.com) utilizing the
[GitHub Advisory Database](https://github.com/advisories).
## Workflow
- Extract the packages from a given lock file
- Resolve the corresponding GitHub repositories
- JSR via `api.jsr.io`
- deno.land via `cdn.deno.land`
- NPM & ESM via `registry.npmjs.org`
- Fetch published vulnerabilities via `api.github.io`
- Create a report
## Usage
### Via `deno run`
```sh
deno run -A jsr:@nashaddams/audit [--help]
```
Running this command will print the audit results to the console, create a
report in the output directory, and return an exit code indicating if
vulnerabilities have been found and matched (`1`) or not (`0`).
### Via `import`
Alternatively, `audit` can also be imported and used as a library function:
```ts
import { audit, runAudit } from "@nashaddams/audit";
audit(options?: AuditOptions);
runAudit(); // CLI wrapper for `audit`
```
See [the docs](https://jsr.io/@nashaddams/audit/doc) for further details.
### HTML report
The `report` subcommand serves the generated audit report:
```sh
deno run -A jsr:@nashaddams/audit report
```
### Ignoring vulnerabilities
Vulnerabilities for a specific package can be excluded by adding the package
name and CVE ID(s) or GHSA ID(s) to the `audit.json` configuration file:
```json
{
"ignore": {
"@std/bytes": ["CVE-2024-12345"],
"@std/cli": ["GHSA-1234-fwm1-12wm"]
}
}
```
### Granular `run` permissions
For convenience, the previous `run` instructions use the `-A` permission flag
which grants all permissions to `audit`. Alternatively, granular flags can be
passed instead:
| Command | Permissions |
| -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| `audit` | `-RW=.`
`-E=OUTPUT_DIR,CONFIG_FILE,GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM`
`-N=api.jsr.io,cdn.deno.land,registry.npmjs.org,api.github.com` |
| `audit report` | `-R=.`
`-E=OUTPUT_DIR,CONFIG_FILE,GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM`
`-N=0.0.0.0` |
Details
| Permission | Usage |
| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------ |
| `-R=.` | Read the lock file and audit report. |
| `-W=.` | Write the audit report. |
| `-E=OUTPUT_DIR,CONFIG_FILE,GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM` | Used for audit configurations, authenticated GitHub API requests and the terminal spinner. |
| `-N=api.jsr.io,cdn.deno.land,registry.npmjs.org,api.github.com` | Fetch the package information, and GitHub security advisories. |
| `-N=0.0.0.0` | Serve the generated audit report. |