A tool for auditing JSR, deno.land, NPM, and ESM packages with Deno utilizing the GitHub Advisory Database.
- Extract the packages from a given
deno.lock(v4) file - Resolve the corresponding GitHub repositories
- JSR via
api.jsr.io - deno.land via
cdn.deno.land - NPM & ESM via
registry.npmjs.org
- JSR via
- Fetch published vulnerabilities via
api.github.io - Create a report
deno run -A jsr:@nashaddams/audit [--help]Running this command will print the audit results to the console, create a
report in the output directory, and return an exit code indicating if
vulnerabilities have been found and matched (1) or not (0).
Alternatively, audit can also be imported and used as a library function:
import { audit, runAudit } from "@nashaddams/audit";
audit(options?: AuditOptions);
runAudit(); // CLI wrapper for `audit`See the docs for further details.
The report subcommand serves the generated audit report:
deno run -A jsr:@nashaddams/audit reportVulnerabilities for a specific package can be excluded by adding the package
name and CVE ID(s) or GHSA ID(s) to an audit.json file:
{
"ignore": {
"@std/bytes": ["CVE-2024-52793"]
}
}For convenience, the previous run instructions use the -A permission flag
which grants all permissions to audit. Alternatively, granular flags can be
passed instead:
| Command | Permissions |
|---|---|
audit |
-RW=.-E=GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM-N=api.jsr.io,cdn.deno.land,registry.npmjs.org,api.github.com |
audit report |
-R=.-E=GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM-N=0.0.0.0 |
audit --help |
-R=.-E=GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM |
Details
| Permission | Usage |
|---|---|
-R=. |
Read the lock file and the report. |
-W=. |
Write the report. |
-E=GITHUB_TOKEN,NO_COLOR,FORCE_COLOR,TERM |
Used for authenticated GitHub API requests and the terminal spinner. |
-N=api.jsr.io,cdn.deno.land,registry.npmjs.org,api.github.com |
Fetch the package informations, and GitHub security advisories. |
-N=0.0.0.0 |
Serve the generated audit report. |