From 0b0cf0f09eca88dbb51d53a9f687103d496bb486 Mon Sep 17 00:00:00 2001 From: tehw0lf Date: Thu, 23 Apr 2026 21:50:29 +0200 Subject: [PATCH 1/2] feat(security): add npm_audit_severity_threshold input (default: moderate) Allows callers to set the minimum severity level for npm/yarn audit failures. Both the regular audit check and the verify-after-fix step use the threshold. --- .github/workflows/npm-audit-autofix.yml | 7 ++++++- .github/workflows/security-scan-source.yml | 11 ++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/npm-audit-autofix.yml b/.github/workflows/npm-audit-autofix.yml index 87f7179..70b1252 100644 --- a/.github/workflows/npm-audit-autofix.yml +++ b/.github/workflows/npm-audit-autofix.yml @@ -19,6 +19,11 @@ on: default: false required: false type: boolean + severity_threshold: + description: "minimum severity for npm audit to fail (low, moderate, high, critical)" + default: "moderate" + required: false + type: string runner: description: "workflow runner" default: "ubuntu-latest" @@ -90,7 +95,7 @@ jobs: if: steps.changes.outputs.has_changes == 'true' run: | set +e - npm audit --audit-level=moderate${{ inputs.omit_dev && ' --omit=dev' || '' }} --json > /tmp/audit-after.json + npm audit --audit-level=${{ inputs.severity_threshold }}${{ inputs.omit_dev && ' --omit=dev' || '' }} --json > /tmp/audit-after.json AUDIT_EXIT=$? set -e diff --git a/.github/workflows/security-scan-source.yml b/.github/workflows/security-scan-source.yml index f85a62b..b62e82b 100644 --- a/.github/workflows/security-scan-source.yml +++ b/.github/workflows/security-scan-source.yml @@ -29,6 +29,11 @@ on: default: false required: false type: boolean + npm_audit_severity_threshold: + description: "minimum severity for npm audit to fail (low, moderate, high, critical)" + default: "moderate" + required: false + type: string outputs: semgrep_result: description: "semgrep scan result" @@ -163,14 +168,13 @@ jobs: - name: npm audit id: npm-audit if: ${{ inputs.tool == 'npm' }} - run: npm audit --audit-level=moderate${{ inputs.npm_audit_omit_dev && ' - --omit=dev' || '' }} + run: npm audit --audit-level=${{ inputs.npm_audit_severity_threshold }}${{ inputs.npm_audit_omit_dev && ' --omit=dev' || '' }} continue-on-error: false - name: yarn audit id: yarn-audit if: ${{ inputs.tool == 'yarn' }} - run: yarn audit --level moderate + run: yarn audit --level ${{ inputs.npm_audit_severity_threshold }} continue-on-error: false - name: upload security scan reports @@ -194,3 +198,4 @@ jobs: root_dir: ${{ inputs.root_dir }} node_version: "24.15.0" omit_dev: ${{ inputs.npm_audit_omit_dev }} + severity_threshold: ${{ inputs.npm_audit_severity_threshold }} From 9b04acf9a22281bee1c4c30c0ae52069349bdf45 Mon Sep 17 00:00:00 2001 From: tehw0lf Date: Thu, 23 Apr 2026 21:51:42 +0200 Subject: [PATCH 2/2] feat(orchestrator): pass npm_audit_severity_threshold through build-test-publish --- .github/workflows/build-test-publish.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build-test-publish.yml b/.github/workflows/build-test-publish.yml index 4a5dece..ca398e1 100755 --- a/.github/workflows/build-test-publish.yml +++ b/.github/workflows/build-test-publish.yml @@ -157,6 +157,11 @@ on: default: false required: false type: boolean + npm_audit_severity_threshold: + description: "minimum severity for npm audit to fail (low, moderate, high, critical)" + default: "moderate" + required: false + type: string trivy_severity: description: "minimum severity level for trivy (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)" default: "MEDIUM,HIGH,CRITICAL" @@ -226,6 +231,7 @@ jobs: runner: ${{ inputs.runner }} semgrep_rules: ${{ inputs.semgrep_rules }} npm_audit_omit_dev: ${{ inputs.npm_audit_omit_dev }} + npm_audit_severity_threshold: ${{ inputs.npm_audit_severity_threshold }} test_and_build: needs: [lint, security_scan_source] if: |