Skip to content

feat(security): add npm_audit_severity_threshold input (default: moderate) #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tehw0lf merged 2 commits into from
Apr 23, 2026
Merged

feat(security): add npm_audit_severity_threshold input (default: moderate) #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0b0cf0f
feat(security): add npm_audit_severity_threshold input (default: mode…
tehw0lf Apr 23, 2026
9b04acf
feat(orchestrator): pass npm_audit_severity_threshold through build-t…
tehw0lf Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/build-test-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,11 @@ on:
default: false
required: false
type: boolean
npm_audit_severity_threshold:
description: "minimum severity for npm audit to fail (low, moderate, high, critical)"
default: "moderate"
required: false
type: string
trivy_severity:
description: "minimum severity level for trivy (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)"
default: "MEDIUM,HIGH,CRITICAL"
Expand Down Expand Up @@ -226,6 +231,7 @@ jobs:
runner: ${{ inputs.runner }}
semgrep_rules: ${{ inputs.semgrep_rules }}
npm_audit_omit_dev: ${{ inputs.npm_audit_omit_dev }}
npm_audit_severity_threshold: ${{ inputs.npm_audit_severity_threshold }}
test_and_build:
needs: [lint, security_scan_source]
if: |
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/npm-audit-autofix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ on:
default: false
required: false
type: boolean
severity_threshold:
description: "minimum severity for npm audit to fail (low, moderate, high, critical)"
default: "moderate"
required: false
type: string
runner:
description: "workflow runner"
default: "ubuntu-latest"
Expand Down Expand Up @@ -90,7 +95,7 @@ jobs:
if: steps.changes.outputs.has_changes == 'true'
run: |
set +e
npm audit --audit-level=moderate${{ inputs.omit_dev && ' --omit=dev' || '' }} --json > /tmp/audit-after.json
npm audit --audit-level=${{ inputs.severity_threshold }}${{ inputs.omit_dev && ' --omit=dev' || '' }} --json > /tmp/audit-after.json
AUDIT_EXIT=$?
set -e

Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/security-scan-source.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ on:
default: false
required: false
type: boolean
npm_audit_severity_threshold:
description: "minimum severity for npm audit to fail (low, moderate, high, critical)"
default: "moderate"
required: false
type: string
outputs:
semgrep_result:
description: "semgrep scan result"
Expand Down Expand Up @@ -163,14 +168,13 @@ jobs:
- name: npm audit
id: npm-audit
if: ${{ inputs.tool == 'npm' }}
run: npm audit --audit-level=moderate${{ inputs.npm_audit_omit_dev && '
--omit=dev' || '' }}
run: npm audit --audit-level=${{ inputs.npm_audit_severity_threshold }}${{ inputs.npm_audit_omit_dev && ' --omit=dev' || '' }}
continue-on-error: false

- name: yarn audit
id: yarn-audit
if: ${{ inputs.tool == 'yarn' }}
run: yarn audit --level moderate
run: yarn audit --level ${{ inputs.npm_audit_severity_threshold }}
continue-on-error: false

- name: upload security scan reports
Expand All @@ -194,3 +198,4 @@ jobs:
root_dir: ${{ inputs.root_dir }}
node_version: "24.15.0"
omit_dev: ${{ inputs.npm_audit_omit_dev }}
severity_threshold: ${{ inputs.npm_audit_severity_threshold }}
Loading