Skip to content

Latest commit

 

History

History
99 lines (74 loc) · 3.5 KB

README.md

File metadata and controls

99 lines (74 loc) · 3.5 KB
Raw

Build Status CircleCI branch David

Overview

This module is intended to be consumed by your favourite continuous integration tool to halt execution if npm audit finds vulnerabilities at or above the specified threshold.

Set up

Assuming medium, high, and critical severity vulnerabilities prevent build continuation:

For Travis-CI using PR builds (recommended):

before_install:
  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm i -g audit-ci@^1 && audit-ci -m; fi

For Travis-CI not using PR builds (not recommended):

before_install:
  - npm i -g audit-ci@^1 && audit-ci -m

For CircleCI:

# ... excludes set up for job 
 steps:
  - checkout
  - run:
      name: update-npm 
      command: 'sudo npm i -g npm@^1'
  - restore_cache:
      key: dependency-cache-{{ checksum "package.json" }}
  - run:
      name: install-and-run-audit-ci
      command: 'sudo npm i -g audit-ci@^1 && audit-ci -m'
  - run:
      name: install-npm
      command: npm i

Installing as a devDependency

For maximum security and to improve the speed of your cached CI build, you can consider adding this package as a devDependency on a static version.

npm install --save-dev audit-ci@{STATIC_VERSION}

scripts:
  # This script should be the first that runs to limit the risk of
  # executing a script from a compromised NPM package.
  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then audit-ci -l; fi

Options

Args Alias Description
-l --low Prevents integration with low or higher vulnerabilities (default false)
-m --moderate Prevents integration with moderate or higher vulnerabilities (default false)
-h --high Prevents integration with high or critical vulnerabilities (default false)
-c --critical Prevents integration only with critical vulnerabilities (default false)
-r --report Shows the npm audit --json report (default true)
-w --whitelist Vulnerable modules to whitelist from preventing integration (default none)

Examples

Prevents build on moderate, high, or critical vulnerabilities; ignores low

npm i -g audit-ci@^1 && audit-ci -m

Prevents build on any vulnerability except lodash (low) and base64url (moderate)

npm i -g audit-ci@^1 && audit-ci -l -w lodash base64url

Prevents build with critical vulnerabilities using aliases without showing the report

npm i -g audit-ci@^1 && audit-ci --critical --report false

Continues build regardless of vulnerabilities, but show the report

npm i -g audit-ci@^1 && audit-ci

Q&A

Why run audit-ci on PR builds for Travis and not the push builds?

If audit-ci is run on the PR build and not on the push build, you can continue to push new code and create PRs parallel to the actual vulnerability fix. However, they can't be merged until the fix is implemented. Since audit-ci performs the audit on the PR build, it will always have the most up-to-date dependencies vs. the push build, which would require a manual merge with master before passing the audit.