Skip to content

nashaddams/audit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
.github
.github
 
 
.vscode
.vscode
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
deno.json
deno.json
 
 
mod.ts
mod.ts
 
 

Repository files navigation

audit

JSR JSR score main

A tool for auditing JSR, deno.land, NPM, and ESM packages with Deno utilizing the GitHub Advisory Database and npm audit.

The packages are extracted from a given deno.lock (v4) file.

JSR & deno.land packages

For JSR and deno.land packages, audit tries to infer the corresponding GitHub repository (api.jsr.io & cdn.deno.land) from where it can gather published vulnerabilities (api.github.io).

NPM & ESM packages

NPM and ESM packages are injected into a generated package.json file on which npm audit is executed.

Usage

Via deno run

deno run -A jsr:@nashaddams/audit [--help]

Running this command will print the audit results to the console, create a report in the output directory, and return an exit code indicating if vulnerabilities have been found (1) or not (0).

Via import

Alternatively, audit can also be imported and used as a library function:

import { audit, runAudit } from "@nashaddams/audit";

audit(options?: AuditOptions);
runAudit(); // CLI wrapper for `audit`

See the docs for further details.

HTML report

The report subcommand serves the generated audit report:

deno run -A jsr:@nashaddams/audit report

Ignoring packages

Packages can be excluded from the audit by passing the package names to the -i, --ignore flag (comma separated list), or by adding them to an .auditignore file (one package name per row).

Granular run permissions

For convenience, the previous run instructions use the -A permission flag which grants all permissions to audit. Alternatively, granular flags can be passed instead:

Command Permissions
audit -RW=.
-E=GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM
-N=api.jsr.io,cdn.deno.land,api.github.com
--allow-run=npm
audit report -R=.
-E=GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM
-N=0.0.0.0
audit --help -R=.
-E=GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM
Details
Permission Usage
-R=. Read the lock file and the report.
-W=. Write the package.json and the report.
-E=GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM Used for authenticated GitHub API requests and the npm audit subcommand.
-N=api.jsr.io,cdn.deno.land,api.github.com Fetch the JSR and deno.land package information, and GitHub security advisories.
-N=0.0.0.0 Serve the generated audit report.
--allow-run=npm Run npm install and npm audit.

About

Audit JSR, NPM, and ESM packges with Deno

jsr.io/@nashaddams/audit

Topics

npm auditing audit esm jsr deno

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 13

0.8.0 Latest
Jan 6, 2025
+ 12 releases

Languages