filter vulnerabilities by audit_level (#55)

* filter vulnerabilities by audit_level

* update README.md

* fix test cases

* restrict audit_level value

* update dist/index.js

README.md

@@ -22,6 +22,7 @@ If vulnerabilities are found by `npm audit`, Action triggered by push, schedule
 
 |Parameter|Required|Default Value|Description|
 |:--:|:--:|:--:|:--|
+|audit_level|false|low|The value of `--audit-level` flag|
 |issue_assignees|false|N/A|Issue assignees (separated by commma)|
 |issue_labels|false|N/A|Issue labels (separated by commma)|
 |issue_title|false|npm audit found vulnerabilities|Issue title|
@@ -56,6 +57,7 @@ jobs:
         run: npm ci
       - uses: oke-py/npm-audit-action@v1.2.0
         with:
+          audit_level: moderate
           github_token: ${{ secrets.GITHUB_TOKEN }}
           issue_assignees: oke-py
           issue_labels: vulnerability,test

__tests__/audit.test.ts

@@ -30,7 +30,7 @@ describe('run', () => {
       }
     })
 
-    audit.run()
+    audit.run('low')
     expect(audit.foundVulnerability()).toBeTruthy()
   })
 
@@ -51,7 +51,7 @@ describe('run', () => {
       }
     })
 
-    audit.run()
+    audit.run('low')
     expect(audit.foundVulnerability()).toBeFalsy()
   })
 
@@ -69,7 +69,7 @@ describe('run', () => {
     })
 
     expect.assertions(1)
-    const r = audit.run()
+    const r = audit.run('low')
     const e = new Error('Something is wrong')
     await expect(r).rejects.toEqual(e)
   })
@@ -88,7 +88,7 @@ describe('run', () => {
     })
 
     expect.assertions(1)
-    const r = audit.run()
+    const r = audit.run('low')
     const e = new Error('the subprocess terminated due to a signal.')
     await expect(r).rejects.toEqual(e)
   })
@@ -107,7 +107,7 @@ describe('run', () => {
     })
 
     expect.assertions(1)
-    const r = audit.run()
+    const r = audit.run('low')
     const e = new Error('Something is wrong')
     await expect(r).rejects.toEqual(e)
   })

__tests__/main.test.ts

@@ -14,6 +14,7 @@ describe('run', () => {
     mocked(Audit).mockClear()
     mocked(pr).createComment.mockClear()
 
+    process.env.INPUT_AUDIT_LEVEL = 'low'
     process.env.INPUT_GITHUB_CONTEXT =
       '{ "event_name": "pull_request", "event": { "number": 100} }'
     process.env.INPUT_GITHUB_TOKEN = '***'
@@ -27,7 +28,7 @@ describe('run', () => {
           path.join(__dirname, 'testdata/audit/success.txt')
         ),
         status: 0,
-        run: (): Promise<void> => {
+        run: (auditLevel: string): Promise<void> => {
           return Promise.resolve(void 0)
         },
         foundVulnerability: (): boolean => {
@@ -60,7 +61,7 @@ describe('run', () => {
           path.join(__dirname, 'testdata/audit/error.txt')
         ),
         status: 1,
-        run: (): Promise<void> => {
+        run: (auditLevel: string): Promise<void> => {
           return Promise.resolve(void 0)
         },
         foundVulnerability: (): boolean => {

action.yml

@@ -2,6 +2,10 @@ name: 'npm audit action'
 description: 'run npm audit'
 author: 'Naoki Oketani <okepy.naoki@gmail.com>'
 inputs:
+  audit_level:
+    description: 'The value of `--audit-level` flag'
+    default: low
+    required: false
   github_context:
     description: 'The `github` context'
     default: ${{ toJson(github) }}

dist/index.js

@@ -1120,10 +1120,10 @@ class Audit {
         this.stdout = '';
         this.status = null;
     }
-    run() {
+    run(auditLevel) {
         return __awaiter(this, void 0, void 0, function* () {
             try {
-                const result = child_process_1.spawnSync('npm', ['audit'], {
+                const result = child_process_1.spawnSync('npm', ['audit', '--audit-level', auditLevel], {
                     encoding: 'utf-8'
                 });
                 if (result.error) {
@@ -3053,9 +3053,14 @@ const pr = __importStar(__webpack_require__(665));
 function run() {
     return __awaiter(this, void 0, void 0, function* () {
         try {
+            // get audit-level
+            const auditLevel = core.getInput('audit_level', { required: true });
+            if (!['critical', 'high', 'moderate', 'low'].includes(auditLevel)) {
+                throw new Error('Invalid input: audit_level');
+            }
             // run `npm audit`
             const audit = new audit_1.Audit();
-            audit.run();
+            audit.run(auditLevel);
             core.info(audit.stdout);
             if (audit.foundVulnerability()) {
                 // vulnerabilities are found

package.json

@@ -1,6 +1,6 @@
 {
   "name": "npm-audit-action",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "private": true,
   "description": "GitHub Action to run `npm audit`",
   "main": "lib/main.js",

src/audit.ts

@@ -5,11 +5,15 @@ export class Audit {
   stdout = ''
   private status: number | null = null
 
-  public async run(): Promise<void> {
+  public async run(auditLevel: string): Promise<void> {
     try {
-      const result: SpawnSyncReturns<string> = spawnSync('npm', ['audit'], {
-        encoding: 'utf-8'
-      })
+      const result: SpawnSyncReturns<string> = spawnSync(
+        'npm',
+        ['audit', '--audit-level', auditLevel],
+        {
+          encoding: 'utf-8'
+        }
+      )
 
       if (result.error) {
         throw result.error

src/main.ts

@@ -8,9 +8,15 @@ import * as pr from './pr'
 
 export async function run(): Promise<void> {
   try {
+    // get audit-level
+    const auditLevel = core.getInput('audit_level', {required: true})
+    if (!['critical', 'high', 'moderate', 'low'].includes(auditLevel)) {
+      throw new Error('Invalid input: audit_level')
+    }
+
     // run `npm audit`
     const audit = new Audit()
-    audit.run()
+    audit.run(auditLevel)
     core.info(audit.stdout)
 
     if (audit.foundVulnerability()) {