audit-ci
This module is intended to be consumed by your favourite continuous integration tool tohalt execution if npm audit or yarn audit finds vulnerabilities at or above the specifiedthreshold while ignoring allowlisted advisories.
Requirements
- Node >=10 (except Yarn Berry, which requires Node >=12.13.0)
- (Optional) Yarn ^1.12.3 || Yarn >=2.4.0
Set up
Install audit-ci during your CI environment using npx or as a devDependency.
npx audit-ci --moderate
Alternatively, for the devDependency approach with NPM:
npm install --save-dev audit-ci
or, using yarn:
yarn add -D audit-ci
The next section gives examples using audit-ci in various CI environments.It assumes that medium, high, and critical severity vulnerabilities prevent build continuation.For simplicity, the examples use npx and do not use a config file.
GitHub Actions
steps:
- uses: actions/checkout@v2
- name: Audit for vulnerabilities
run: npx audit-ci --moderate
CircleCI
# ... excludes set up for job
steps:
- checkout
- run:
name: update-npm
command: "sudo npm install -g npm"
- restore_cache:
key: dependency-cache-{{ checksum "package.json" }}
- run:
name: install-npm
command: "npm install --no-audit"
# This should run immediately after installation to reduce
# the risk of executing a script from a compromised NPM package.
- run:
name: run-audit-ci
command: npx audit-ci --moderate
# If you use a pull-request-only workflow,
# it's better to not run audit-ci on `main` and only run it on pull requests.
# For more info: https://github.com/IBM/audit-ci/issues/69
# For a PR-only workflow, use the below command instead of the above command:
#
# command: if [[ ! -z $CIRCLE_PULL_REQUEST ]] ; then audit-ci --moderate ; fi
Travis-CI
Auditing only on PR builds is recommended
scripts:
# This script should be the first that runs to reduce the risk of
# executing a script from a compromised NPM package.
- if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --moderate; fi
For Travis-CI not using PR builds:
scripts:
- npx audit-ci --moderate
Options
| Args | Alias | Description |
|---|---|---|
| -l | --low | Prevents integration with low or higher vulnerabilities (default false) |
| -m | --moderate | Prevents integration with moderate or higher vulnerabilities (default false) |
| -h | --high | Prevents integration with high or critical vulnerabilities (default false) |
| -c | --critical | Prevents integration only with critical vulnerabilities (default false) |
| -p | --package-manager | Choose a package manager [choices: auto, npm, yarn] (default auto) |
| -a | --allowlist | Vulnerable modules, advisories, and paths to allowlist from preventing integration (default none) |
| -o | --output-format | The format of the output of audit-ci [choices: text, json] (default text) |
| -d | --directory | The directory containing the package.json to audit (default ./) |
| --pass-enoaudit | Pass if no audit is performed due to the registry returning ENOAUDIT (default false) |
|
| --show-found | Show allowlisted advisories that are found (default true) |
|
| --show-not-found | Show allowlisted advisories that are not found (default true) |
|
| --registry | The registry to resolve packages by name and version (default to unspecified) | |
| --report-type | Format for the audit report results [choices: important, summary, full] (default important) |
|
| --retry-count | The number of attempts audit-ci calls an unavailable registry before failing (default 5) |
|
| --config | Path to JSON config file | |
| --skip-dev | Skip auditing devDependencies (default false) |
|
| --advisories | [DEPRECATED] Vulnerable advisory ids to whitelist from preventing integration (default none) |
|
| -w | --whitelist | [DEPRECATED] Vulnerable modules to whitelist from preventing integration (default none) |
| --path-whitelist | [DEPRECATED] Vulnerable module paths to whitelist from preventing integration (default none) |
The options
--advisories,--path-whitelist,--whitelist, and-ware deprecated in favour of-a(alias--allowlist)which merge the functionality of all of the deprecated arguments into one argument.
(Optional) Config file specification
A config file can manage auditing preferences audit-ci. The config file's keys match the CLI arguments.
{
// Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
"low": <boolean>, // [Optional] defaults `false`
"moderate": <boolean>, // [Optional] defaults `false`
"high": <boolean>, // [Optional] defaults `false`
"critical": <boolean>, // [Optional] defaults `false`
"allowlist": <(string | number)[]>, // [Optional] default `[]`
"report-type": <string>, // [Optional] defaults `important`
"package-manager": <string>, // [Optional] defaults `"auto"`
"output-format": <string>, // [Optional] defaults `"text"`
"pass-enoaudit": <boolean>, // [Optional] defaults `false`
"show-found": <boolean>, // [Optional] defaults `true`
"show-not-found": <boolean>, // [Optional] defaults `true`
"registry": <string>, // [Optional] defaults `undefined`
"retry-count": <number>, // [Optional] defaults 5
"skip-dev": <boolean>, // [Optional] defaults `false`
"advisories": <number[]>, // [Deprecated, optional] defaults `[]`
"path-whitelist": <string[]>, // [Deprecated, optional] defaults `[]`
"whitelist": <string[]> // [Deprecated, optional] defaults `[]`
}
Review the examples section for an example of config file usage.
Refrain from using
"directory"within the config file becausedirectoryis relative to where the command is run, rather than the directory where the config file exists.
Examples
Prevents build on moderate, high, or critical vulnerabilities; ignores low
npx audit-ci -m
Prevents build on any vulnerability except advisory 690 and all of lodash and base64url, don't show allowlisted
npx audit-ci -l -a 690 lodash base64url --show-found false
Prevents build with critical vulnerabilities showing the full report
audit-ci --critical --report-type full
Continues build regardless of vulnerabilities, but show the summary report
npx audit-ci --report-type summary
Example config file and different directory usage
test/npm-config-file/audit-ci.json
{
"low": true,
"package-manager": "auto",
"allowlist": [
100,
101,
"example1",
"example2",
"52|example3",
"880|example4",
"880|example5>example4",
"*|example6>*"
],
"registry": "https://registry.npmjs.org"
}
npx audit-ci --directory test/npm-config-file --config test/npm-config-file/audit-ci.json
Q&A
Why run audit-ci on PR builds for Travis-CI and not the push builds?
If audit-ci is run on the PR build and not on the push build, you can continue to push new code and create PRs parallel to the actual vulnerability fix. However, they can't be merged until the fix is implemented. Since audit-ci performs the audit on the PR build, it will always have the most up-to-date dependencies vs. the push build, which would require a manual merge with main before passing the audit.
NPM/Yarn is returning ENOAUDIT and is breaking my build, what do I do?
The config option --pass-enoaudit allows passing if no audit is performed due to the registry returning ENOAUDIT. It is false by default to reduce the risk of merging in a vulnerable package. However, if the convenience of passing is more important for your project then you can add --pass-enoaudit into the CLI or add it to the config.
-
MySQL Audit Plugin 一、Audit plugin用于对Mysql连接和操作进行审计,分别对应以下两个事件见(/usr/include/mysql/plugin_audit.h) 1. MYSQL_AUDIT_CONNECTION_CLASS 连接事件又细分为: MYSQL_AUDIT_CONNECTION_CONNECT 0 MYSQL_AUDIT_CONNECTION_DISC
-
方式一: gcc main.c 解释: 会生成 a.out 文件 方式二: gcc main.c -o main 注意:此写法等价于:gcc -o main main.c 解释: gcc main.c 生成 a.out , -o main 是将 a.out 改名为 main ,即 main 是最终生成的可执行文件. 补充:如何理解:gcc main.c -o main 等价于:gcc -o mai
-
ORA-02002error while writing to audit trail 问题处理 登录数据库时提示: ERROR: ORA-02002: error while writing to audit trail ORA-00604: error occurred at recursive SQL level 1 ORA-01013: user requested cancel of c
-
Perform a vulnerability audit against the installed packages. yarn audit [--verbose] [--json] Checks for known security issues with the installed packages. The output is a list of known issues. You mu
-
Windows事件日志审计系统,支持以WEB的方式审计日志 Windows事件日志审计系统说明 Windows事件日志审计系统由2部分组成: dumplog,导出windows的事件日志到sqlite3 数据库中,默认文件名为Eventlog.db log_audit_web,查询日志的WEB 如何使用 dumplog dumplog由autoit3编写,需要编译为EXE(有时候编译出来的exe会
-
Open-AudIT 是一个网络审计程序、它基于PHP,bash shell 和VBScript语言。通过它你可以知道网络上有什么,以及网络上的设备配置如何,何时有变更等。 Open-AudiT通过Bash和VBScript收集信息,存储到数据库中,并可以通过网络接口访问。只需要网络服务器(apache和iis已通过测试)、数据库就可以安装。
-
MySQL审计插件,基于mysql 5.5版本开发,并在MySQL 5.5.15、5.5.20上进行测试。实现细粒度审计、实现审计可配置化、实现动态修改审计粒度。 1、细粒度审计 审计插件audit-2.0将审计的粒度细化到具体的命令。 2、审计可配置 为了审计插件的独立性,对审计进行单独配置文件的控制,从而不影响数据库server的配置。 3、动态修改审计配置 审计配置文件修改后,将会重
-
jboss-test-audit 用于 TCK 测试覆盖报告的实用程序类。(Utility classes for TCK Test Coverage Report.)
-
Log4j Audit 提供了一个框架,用于定义审计事件,然后使用 Log4j 记录它们。该框架侧重于定义事件并为应用程序提供记录它们的简单机制,允许产品为记录的事件提供一致性和有效性。它不关注日志事件如何写入数据存储。 Log4j Audit 通过定义自己的 AuditMessage 构建在 Log4j 上。Log4j Audit 要求 Java 8 和 Log4j 2.10.0 或更高版本,并