diff --git a/README.md b/README.md index eb9ad01..04bb65c 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ If vulnerabilities are found by `npm audit`, Action triggered by push, schedule |Parameter|Required|Default Value|Description| |:--:|:--:|:--:|:--| +|audit_level|false|low|The value of `--audit-level` flag| |issue_assignees|false|N/A|Issue assignees (separated by commma)| |issue_labels|false|N/A|Issue labels (separated by commma)| |issue_title|false|npm audit found vulnerabilities|Issue title| @@ -56,6 +57,7 @@ jobs: run: npm ci - uses: oke-py/npm-audit-action@v1.2.0 with: + audit_level: moderate github_token: ${{ secrets.GITHUB_TOKEN }} issue_assignees: oke-py issue_labels: vulnerability,test diff --git a/__tests__/audit.test.ts b/__tests__/audit.test.ts index 9af3020..e1e5b05 100644 --- a/__tests__/audit.test.ts +++ b/__tests__/audit.test.ts @@ -30,7 +30,7 @@ describe('run', () => { } }) - audit.run() + audit.run('low') expect(audit.foundVulnerability()).toBeTruthy() }) @@ -51,7 +51,7 @@ describe('run', () => { } }) - audit.run() + audit.run('low') expect(audit.foundVulnerability()).toBeFalsy() }) @@ -69,7 +69,7 @@ describe('run', () => { }) expect.assertions(1) - const r = audit.run() + const r = audit.run('low') const e = new Error('Something is wrong') await expect(r).rejects.toEqual(e) }) @@ -88,7 +88,7 @@ describe('run', () => { }) expect.assertions(1) - const r = audit.run() + const r = audit.run('low') const e = new Error('the subprocess terminated due to a signal.') await expect(r).rejects.toEqual(e) }) @@ -107,7 +107,7 @@ describe('run', () => { }) expect.assertions(1) - const r = audit.run() + const r = audit.run('low') const e = new Error('Something is wrong') await expect(r).rejects.toEqual(e) }) diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts index 1a2b03f..5adc670 100644 --- a/__tests__/main.test.ts +++ b/__tests__/main.test.ts @@ -14,6 +14,7 @@ describe('run', () => { mocked(Audit).mockClear() mocked(pr).createComment.mockClear() + process.env.INPUT_AUDIT_LEVEL = 'low' process.env.INPUT_GITHUB_CONTEXT = '{ "event_name": "pull_request", "event": { "number": 100} }' process.env.INPUT_GITHUB_TOKEN = '***' @@ -27,7 +28,7 @@ describe('run', () => { path.join(__dirname, 'testdata/audit/success.txt') ), status: 0, - run: (): Promise => { + run: (auditLevel: string): Promise => { return Promise.resolve(void 0) }, foundVulnerability: (): boolean => { @@ -60,7 +61,7 @@ describe('run', () => { path.join(__dirname, 'testdata/audit/error.txt') ), status: 1, - run: (): Promise => { + run: (auditLevel: string): Promise => { return Promise.resolve(void 0) }, foundVulnerability: (): boolean => { diff --git a/action.yml b/action.yml index c9b3257..e521955 100644 --- a/action.yml +++ b/action.yml @@ -2,6 +2,10 @@ name: 'npm audit action' description: 'run npm audit' author: 'Naoki Oketani ' inputs: + audit_level: + description: 'The value of `--audit-level` flag' + default: low + required: false github_context: description: 'The `github` context' default: ${{ toJson(github) }} diff --git a/dist/index.js b/dist/index.js index a9ff467..228a0e0 100644 --- a/dist/index.js +++ b/dist/index.js @@ -1120,10 +1120,10 @@ class Audit { this.stdout = ''; this.status = null; } - run() { + run(auditLevel) { return __awaiter(this, void 0, void 0, function* () { try { - const result = child_process_1.spawnSync('npm', ['audit'], { + const result = child_process_1.spawnSync('npm', ['audit', '--audit-level', auditLevel], { encoding: 'utf-8' }); if (result.error) { @@ -3053,9 +3053,14 @@ const pr = __importStar(__webpack_require__(665)); function run() { return __awaiter(this, void 0, void 0, function* () { try { + // get audit-level + const auditLevel = core.getInput('audit_level', { required: true }); + if (!['critical', 'high', 'moderate', 'low'].includes(auditLevel)) { + throw new Error('Invalid input: audit_level'); + } // run `npm audit` const audit = new audit_1.Audit(); - audit.run(); + audit.run(auditLevel); core.info(audit.stdout); if (audit.foundVulnerability()) { // vulnerabilities are found diff --git a/package.json b/package.json index 3062fda..3b8d4eb 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "npm-audit-action", - "version": "1.2.0", + "version": "1.3.0", "private": true, "description": "GitHub Action to run `npm audit`", "main": "lib/main.js", diff --git a/src/audit.ts b/src/audit.ts index f29c3a0..5a61a58 100644 --- a/src/audit.ts +++ b/src/audit.ts @@ -5,11 +5,15 @@ export class Audit { stdout = '' private status: number | null = null - public async run(): Promise { + public async run(auditLevel: string): Promise { try { - const result: SpawnSyncReturns = spawnSync('npm', ['audit'], { - encoding: 'utf-8' - }) + const result: SpawnSyncReturns = spawnSync( + 'npm', + ['audit', '--audit-level', auditLevel], + { + encoding: 'utf-8' + } + ) if (result.error) { throw result.error diff --git a/src/main.ts b/src/main.ts index be39e70..3bd2c80 100644 --- a/src/main.ts +++ b/src/main.ts @@ -8,9 +8,15 @@ import * as pr from './pr' export async function run(): Promise { try { + // get audit-level + const auditLevel = core.getInput('audit_level', {required: true}) + if (!['critical', 'high', 'moderate', 'low'].includes(auditLevel)) { + throw new Error('Invalid input: audit_level') + } + // run `npm audit` const audit = new Audit() - audit.run() + audit.run(auditLevel) core.info(audit.stdout) if (audit.foundVulnerability()) {