Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/oke-py/npm-audit-action

GitHub Action to run `npm audit`
https://github.com/oke-py/npm-audit-action

github-action npm security vulnerability

Last synced: about 2 months ago
JSON representation

GitHub Action to run `npm audit`

Host: GitHub
URL: https://github.com/oke-py/npm-audit-action
Owner: oke-py
License: mit
Created: 2019-12-08T10:17:12.000Z (almost 5 years ago)
Default Branch: main
Last Pushed: 2024-06-16T10:16:46.000Z (3 months ago)
Last Synced: 2024-07-05T13:39:21.461Z (3 months ago)
Topics: github-action, npm, security, vulnerability
Language: TypeScript
Homepage:
Size: 2.78 MB
Stars: 41
Watchers: 4
Forks: 24
Open Issues: 13
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # npm audit action

[![Coverage Status](https://coveralls.io/repos/github/oke-py/npm-audit-action/badge.svg?branch=main)](https://coveralls.io/github/oke-py/npm-audit-action?branch=main)

GitHub Action to run `npm audit`

## Feature

### Create a Pull Request comment

If vulnerabilities are found by `npm audit`, Action triggered by PR creates a comment.

### Create an Issue

If vulnerabilities are found by `npm audit`, Action triggered by push, schedule creates the following GitHub Issue.

![image](https://github.com/oke-py/npm-audit-action/blob/main/issue.png)

## Usage

### Inputs

|Parameter|Required|Default Value|Description|

|:--:|:--:|:--:|:--|

|audit_level|false|low|The value of `--audit-level` flag|

|create_issues|false|true|Flag to create issues when vulnerabilities are found|

|create_pr_comments|false|true|Flag to create pr comments when vulnerabilities are found|

|dedupe_issues|false|false|Flag to de-dupe against open issues|

|github_context|false|`${{ toJson(github) }}`|The `github` context|

|github_token|true|N/A|GitHub Access Token.
${{ secrets.GITHUB_TOKEN }} is recommended.|

|issue_assignees|false|N/A|Issue assignees (separated by commma)|

|issue_labels|false|N/A|Issue labels (separated by commma)|

|issue_title|false|npm audit found vulnerabilities|Issue title|

|json_flag|false|false|Run `npm audit` with `--json`|

|production_flag|false|false|Run `npm audit` with `--omit=dev`|

|working_directory|false|N/A|The directory which contains package.json|

### Outputs

|Parameter name|Description|

|:--:|:--|

|npm_audit|The output of the npm audit report in a text format|

## Example Workflow

```yaml

name: npm audit

on:

  pull_request:

  push:

    branches:

      - main

      - 'releases/*'

# on:

#   schedule:

#     - cron: '0 10 * * *'

jobs:

  scan:

    name: npm audit

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v3

      - name: install dependencies

        run: npm ci

      - uses: oke-py/npm-audit-action@v2

        with:

          audit_level: moderate

          github_token: ${{ secrets.GITHUB_TOKEN }}

          issue_assignees: oke-py

          issue_labels: vulnerability,test

          dedupe_issues: true

```

- - -

This action is inspired by [homoluctus/gitrivy](https://github.com/homoluctus/gitrivy).