Skip to content

oke-py/npm-audit-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

363 Commits
.clinerules
.clinerules
 
 
.devcontainer
.devcontainer
 
 
.github
.github
 
 
.licenses/npm
.licenses/npm
 
 
__fixtures__
__fixtures__
 
 
__tests__
__tests__
 
 
dist
dist
 
 
src
src
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.licensed.yml
.licensed.yml
 
 
.markdown-lint.yml
.markdown-lint.yml
 
 
.node-version
.node-version
 
 
.prettierignore
.prettierignore
 
 
.prettierrc.yml
.prettierrc.yml
 
 
.yaml-lint.yml
.yaml-lint.yml
 
 
DEVELOPMENT.md
DEVELOPMENT.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
eslint.config.mjs
eslint.config.mjs
 
 
issue.png
issue.png
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
rollup.config.ts
rollup.config.ts
 
 
tsconfig.base.json
tsconfig.base.json
 
 
tsconfig.eslint.json
tsconfig.eslint.json
 
 
tsconfig.json
tsconfig.json
 
 
vitest.config.ts
vitest.config.ts
 
 

Repository files navigation

npm audit action

Coverage Status

GitHub Action to run npm audit

Feature

Create a Pull Request comment

If vulnerabilities are found by npm audit, Action triggered by PR creates a comment.

Create an Issue

If vulnerabilities are found by npm audit, Action triggered by push, schedule creates the following GitHub Issue.

image

Usage

Inputs

Parameter Required Default Value Description
audit_level false low The value of --audit-level flag
create_issues false true Flag to create issues when vulnerabilities are found
create_pr_comments false true Flag to create pr comments when vulnerabilities are found
dedupe_issues false false Flag to de-dupe against open issues
github_context false ${{ toJson(github) }} The github context
github_token true N/A GitHub Access Token.
${{ secrets.GITHUB_TOKEN }} is recommended.
issue_assignees false N/A Issue assignees (separated by commma)
issue_labels false N/A Issue labels (separated by commma)
issue_title false npm audit found vulnerabilities Issue title
json_flag false false Run npm audit with --json
production_flag false false Run npm audit with --omit=dev
working_directory false N/A The directory which contains package.json

Outputs

Parameter name Description
npm_audit The output of the npm audit report in a text format

Example Workflow

name: npm audit

on:
  pull_request:
  push:
    branches:
      - main
      - 'releases/*'
# on:
#   schedule:
#     - cron: '0 10 * * *'

jobs:
  scan:
    name: npm audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: install dependencies
        run: npm ci
      - uses: oke-py/npm-audit-action@v3
        with:
          audit_level: moderate
          github_token: ${{ secrets.GITHUB_TOKEN }}
          issue_assignees: oke-py
          issue_labels: vulnerability,test
          dedupe_issues: true

Development

Running Tests

This project uses Vitest for testing. To run the tests, use the following command:

npm run test

Vitest will execute all test files and provide a detailed report of the results. For coverage reports, you can use:

npm run test:coverage

Ensure all dependencies are installed before running the tests:

npm ci

This action is inspired by homoluctus/gitrivy.

About

GitHub Action to run `npm audit`

Topics

npm security vulnerability github-action

Resources

Readme

License

MIT license
Activity

Stars

46 stars

Watchers

3 watching

Forks

27 forks
Report repository

Releases 32

v3.0.0 Latest
May 3, 2025
+ 31 releases

Packages

No packages published

Contributors 9

Languages