Skip to content

nashaddams/audit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
.github
.github
 
 
.vscode
.vscode
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
deno.json
deno.json
 
 
mod.ts
mod.ts
 
 

Repository files navigation

audit

JSR JSR score main

Audit JSR, deno.land, NPM, and ESM packages utilizing the GitHub Advisory Database.

Usage

deno run -A jsr:@nashaddams/audit [--help]

Running this command will print the audit results, create a report in the output directory (.md, .html), and return an exit code indicating whether vulnerabilities have been found and matched (1) or not (0).

Tip

Avoid exceeding GitHub rate limits by creating an access token and passing it via GITHUB_TOKEN environment variable.

Serving the report

The report subcommand serves the generated audit report:

deno run -A jsr:@nashaddams/audit report

Ignoring vulnerabilities

Vulnerabilities for a specific package can be excluded by adding the package name and CVE ID(s) or GHSA ID(s) to the audit.json configuration file:

{
  "ignore": {
    "@std/bytes": ["CVE-2024-12345"],
    "@std/cli": ["GHSA-1234-fwm1-12wm"]
  }
}

Library usage

Alternatively, audit can also be imported and used as a library function:

import { audit } from "@nashaddams/audit";

audit(options?: AuditOptions);

See the docs for further details.

Collecting licenses

In addition to auditing packages, audit can also collect the licenses of resolved packages via licenses subcommand:

deno run -A jsr:@nashaddams/audit licenses [--merge]

Workflow

  • Extract the packages from a given lock file
  • Resolve the corresponding GitHub repositories
    • JSR via api.jsr.io
    • deno.land via cdn.deno.land
    • NPM & ESM via registry.npmjs.org
  • Fetch published vulnerabilities via api.github.io
  • Create a report

Granular run permissions

For convenience, the previous run instructions use the -A permission flag which grants all permissions to audit. Alternatively, granular flags can be passed instead:

Command Permissions
audit -RW=.
-E=OUTPUT_DIR,CONFIG_FILE,GITHUB_TOKEN,TERM
-N=api.jsr.io,cdn.deno.land,registry.npmjs.org,api.github.com
audit report -R=.
-E=OUTPUT_DIR,CONFIG_FILE,GITHUB_TOKEN,TERM
-N=0.0.0.0
audit licenses -RW.
-E=OUTPUT_DIR,CONFIG_FILE,GITHUB_TOKEN,TERM
-N=api.github.com
Details
Permission Usage
-R Read the lock file, audit report, and resolved packages.
-W Write the audit report, resolved and unresolved packages, and licenses.
-E Configue audit, make authenticated GitHub API requests, and the terminal spinner.
-N Fetch the package information and GitHub security advisories, and serve the generated audit report.

About

Audit JSR, deno.land, NPM, and ESM packages

jsr.io/@nashaddams/audit

Topics

npm auditing audit esm jsr deno

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

4 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 36

0.21.1 Latest
May 29, 2025
+ 35 releases

Languages