Skip to content

SimonCropp/AuditNpm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
src
src
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
global.json
global.json
 
 
readme.md
readme.md
 
 

Repository files navigation

AuditNpm

Build status NuGet Status

A .NET global tool that runs npm audit, parses the JSON output, and exits with a non-zero code when vulnerabilities are found at or above a configurable severity threshold.

Install

dotnet tool install -g AuditNpm

Usage

audit-npm [directory] [options]
Option Description
-t, --target-directory Directory containing package.json (default: current directory)
-s, --severity Threshold: critical, high, moderate, low (default: moderate)
-i, --ignore Comma-separated CVE IDs to ignore
-c, --config Config file path (default: audit-npm.config.json in target directory)

Examples

Run against the current directory with default settings:

audit-npm

Run against a specific directory, only failing on high or critical:

audit-npm -t ./my-app -s high

Ignore specific vulnerabilities by CVE ID:

audit-npm -i CVE-2021-23337,CVE-2024-29041

Pass the directory as a positional argument:

audit-npm ./my-app

Config file

Create an audit-npm.config.json in your project directory:

{
  "severity": "moderate",
  "ignore": [
    "CVE-2021-23337"
  ]
}

Ignore entries can also use an object format with an until date. The CVE will be ignored until the specified date, after which it will be reported again:

{
  "ignore": [
    "CVE-2024-29041",
    {
      "id": "CVE-2021-23337",
      "until": "2025-06-01"
    }
  ]
}

When the until date has passed, the tool will log that the ignore has expired and the CVE will no longer be suppressed.

JSON comments and trailing commas are supported.

CLI --severity overrides the config file value. CLI --ignore is additive with the config file list.

Exit codes

Code Meaning
0 No vulnerabilities found above the severity threshold (or all were ignored)
1 One or more unignored vulnerabilities found at or above the threshold

Ignoring vulnerabilities

Use CVE IDs to ignore known vulnerabilities. A vulnerability is only ignored if all of its associated CVE IDs are in the ignore list. If a package has multiple advisories and only some are ignored, it will still be reported.

Building from source

Requires .NET 10 SDK.

dotnet build src --configuration Release
dotnet test --solution src/AuditNpm.slnx

Icon

Audit designed by Muhammad Adam from The Noun Project.

About

A .NET global tool that runs npm audit, parses the JSON output, and exits with a non-zero code when vulnerabilities are found at or above a configurable severity threshold.

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages