/npm-audit-plus

A wrapper around NPM's built-in audit that adds extra features

Primary LanguageJavaScriptGNU Affero General Public License v3.0AGPL-3.0

NPM Audit+

NPM Audit+ is a wrapper around NPM's built-in audit tool. It adds the following functionality:

  • Ignore particular advisories
  • Specify a project to audit
  • Output audit result as JUnit XML, compatible with many CI systems

Installation

Install globally:

npm install -g npm-audit-plus

or install locally:

npm install npm-audit-plus

Either works!

Usage

npm-audit-plus --ignore=123,456 --xml             # If installed globally
$(npm bin)/npm-audit-plus --ignore=123,456 --xml  # If installed locally

For more documentation on NPM Audit+'s flags, run

npm-audit-plus --help             # If installed globally
$(npm bin)/npm-audit-plus --help  # If installed locally

Other usage

npx npm-audit-plus --production --xml # Ignore vulnerabilities in devDependencies
npx npm-audit-plus --auditLevel critical --xml # Only exit with code non-zero on high and critical

Gitlab example

audit-npm:
  script:
    - npm ci
    - npx npm-audit-plus --xml > npm-audit.junit.xml
  allow_failure: true
  artifacts:
    when: always
    paths:
      - '*.junit.xml'
    reports:
      junit: npm-audit.junit.xml
    expire_in: 1 day