Bitbucket Pipelines added reports as a feature in pull requests.
With this module, you can get the results of npm audit as a report, with zero configuration, using npx:
pipelines:
my-pipeline:
- step:
script:
- npx bpr-npm-auditHave a look at this example pull request, which generates a report like this:
This module has zero dependencies (outside of NodeJS), and is simple enough to audit yourself.
If you are very paranoid, I recommend forking this repository, auditing the forked code, and then using npx pointed to your fork:
pipelines:
my-pipeline:
- step:
script:
- npx username/bpr-npm-audit(Where username is your Github username.)
Parameters are passed in as environment variables. For example:
pipelines:
my-pipeline:
- step:
script:
- BPR_NAME="My Report" BPR_ID="myid" BPR_LEVEL="low" BPR_MAX_BUFFER_SIZE="20971520" npx bpr-npm-auditConfigure by setting the environment variable BPR_PROXY to one of these options.
local- (default) Used in normal Pipelines.pipe- Used in custom pipes.
Configure by setting the environment variable BPR_NAME.
Default: Security: npm audit
Configure by setting the environment variable BPR_ID.
Default: npmaudit
Configure by setting the environment variable BPR_LEVEL to one of these options:
lowmoderatehigh(the default)critical
If there are any vulnerabilities at that level or higher, the report will be marked as failed.
Configure by setting the environment BPR_LOG to any of the BPR_LEVEL values.
If this is not set, all audit log entries will be included in the Pipeline Report.
Setting this property will limit the Report to contain only audit log entries at this level or higher.
Configure by setting the environment variable BPR_MAX_BUFFER_SIZE to desired value in bytes.
Default: 10485760 (10 MB)
The value shouldn't be changed unless you run into problems with npm audit output being too large to handle
(usually signalled by Unexpected end of JSON input error).
This project is published and released under the Very Open License.
(Made with ❤️ by Tobias Davis.)