@efuture/bpr-npm-audit

1.5.0 • Public • Published

bpr-npm-audit

Bitbucket Pipelines added reports as a feature in pull requests.

With this module, you can get the results of npm audit as a report, with zero configuration, using npx:

pipelines:
  my-pipeline:
    - step:
        script:
          - npx bpr-npm-audit

Have a look at this example pull request, which generates a report like this:

Example report image

Security

This module has zero dependencies (outside of NodeJS), and is simple enough to audit yourself.

If you are very paranoid, I recommend forking this repository, auditing the forked code, and then using npx pointed to your fork:

pipelines:
  my-pipeline:
    - step:
        script:
          - npx username/bpr-npm-audit

(Where username is your Github username.)

Configure

Parameters are passed in as environment variables. For example:

pipelines:
  my-pipeline:
    - step:
        script:
          - BPR_NAME="My Report" BPR_ID="myid" BPR_LEVEL="low" BPR_MAX_BUFFER_SIZE="20971520" npx bpr-npm-audit

Authentication

Configure by setting the environment variable BITBUCKET_AUTH. The content will be sent as Authorization header withing the requests.

Report Name

Configure by setting the environment variable BPR_NAME.

Default: Security: npm audit

Report ID

Configure by setting the environment variable BPR_ID.

Default: npmaudit

Fail Condition

Configure by setting the environment variable BPR_LEVEL to one of these options:

  • low
  • moderate
  • high (the default)
  • critical

If there are any vulnerabilities at that level or higher, the report will be marked as failed.

Reporting Level

Configure by setting the environment BPR_LOG to any of the BPR_LEVEL values.

If this is not set, all audit log entries will be included in the Pipeline Report.

Setting this property will limit the Report to contain only audit log entries at this level or higher.

Max Buffer Size

Configure by setting the environment variable BPR_MAX_BUFFER_SIZE to desired value in bytes.

Default: 10485760 (10 MB)

The value shouldn't be changed unless you run into problems with npm audit output being too large to handle (usually signalled by Unexpected end of JSON input error).

License

This project is published and released under the Very Open License.


(Made with ❤️ by Tobias Davis.)

Package Sidebar

Install

npm i @efuture/bpr-npm-audit

Weekly Downloads

0

Version

1.5.0

License

SEE LICENSE IN LICENSE.md

Unpacked Size

82.5 kB

Total Files

22

Last publish

Collaborators

  • efuture