Skip to content

Remedy-Robotics/yarn-npm-audit-action

 
 

Repository files navigation

yarn npm audit action

GitHub Action to run yarn npm audit

Feature

Create a Pull Request comment

If vulnerabilities are found by yarn npm audit, Action triggered by PR creates a comment.

Create an Issue

If vulnerabilities are found by yarn npm audit, Action triggered by push, schedule creates the following GitHub Issue.

image

Usage

Inputs

Parameter Required Default Value Description
severity_level false low The value of --severity flag
create_issues false true Flag to create issues when vulnerabilities are found
create_pr_comments false true Flag to create pr comments when vulnerabilities are found
dedupe_issues false false Flag to de-dupe against open issues
github_context false ${{ toJson(github) }} The github context
github_token true N/A GitHub Access Token.
${{ secrets.MY_GITHUB_ACCESS_TOKEN }} is recommended.
issue_assignees false N/A Issue assignees (separated by commma)
issue_labels false N/A Issue labels (separated by commma)
issue_title false npm audit found vulnerabilities Issue title
json_flag false false Run yarn npm audit with --json
production_flag false false Run yarn npm audit with --environment production
recursive_flag false false Run yarn npm audit with --recursive
working_directory false N/A The directory which contains package.json

Outputs

Parameter name Description
npm_audit The output of the npm audit report in a text format

Example Workflow

name: yarn npm audit

on:
  pull_request:
  push:
    branches:
      - main
      - 'releases/*'
# on:
#   schedule:
#     - cron: '0 10 * * *'

jobs:
  scan:
    name: npm audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: install dependencies
        run: corepack enable && yarn install
      - uses: Remedy-Robotics/yarn-npm-audit-action@v2
        with:
          severity_level: moderate
          github_token: ${{ secrets.MY_GITHUB_ACCESS_TOKEN }}
          issue_assignees: campbell-remedy
          issue_labels: vulnerability,test
          dedupe_issues: true
          recursive_flag: true

This action is inspired by homoluctus/gitrivy.

About

GitHub Action to run `yarn npm audit`

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • TypeScript 98.9%
  • JavaScript 1.1%