audit-ci
audit-ci copied to clipboard
IBM
Audit NPM, Yarn, and PNPM dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advis...
We've recently started using audit-ci in our pipelines. For the tool semgrep that we use, they can output a Gitlab SAST compatible reporting format that GitLab can understand and integrate...
In many cases there's not much that you can do for the vulnerability at the time it is alerted. However, maybe the fix is being worked on but not released....
Usually it is good to let other devs to know why something has been ignored. That's why being able to leave notes next to the ignore is important. It might...
To protect against _latest_ version incompatibility and potential supply chain attack (e.g. [codecov](https://blog.sonatype.com/what-you-need-to-know-about-the-codecov-incident-a-supply-chain-attack-gone-undetected-for-2-months)), please recommend pinning to a commit SHA, or at least a release tag. Also, consider packaging this...
Due to: https://github.com/IBM/audit-ci/issues/96 ``` Yarn audit report results: events.js:167 throw er; // Unhandled 'error' event ^ Error: Invalid JSON (Unexpected " " at position 4 in state STOP) ``` (It's...
Hi, first of all thanks for providing and maintaining this package. I've noticed an interesting issue relating to https://github.com/yarnpkg/yarn/issues/7404 When the yarn audit runs out of memory as described in...
`yarn audit` report:  `npx audit-ci -m` report:  The form of table report is more intuitive and clear. I think the `--report-type` option can privide a `table` choice to...
Please tell me if I'm missing something but isn't `npm install --save-dev audit-ci` also an attack vector since it runs `npm install` and installs all packages? Isn't the whole point...
Bumps [undici](https://github.com/nodejs/undici) from 5.19.1 to 5.28.3. Release notes Sourced from undici's releases. v5.28.3 ⚠️ Security Release ⚠️ Fixes: CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch Full Changelog:...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}