Skip to content
Latchkey

How to Run a Dependency Audit in GitHub Actions

Known vulnerabilities ship silently with every install; an audit gate makes them a failing check instead of a surprise.

Run npm audit --audit-level=high so the job fails when a high or critical advisory affects the dependency tree.

Steps

  • Install dependencies with npm ci to lock the exact tree being audited.
  • Run npm audit --audit-level=high so only high and critical issues fail the build.
  • Triage findings with npm audit fix or an allowlist for accepted risks.

Workflow

.github/workflows/audit.yml
name: Dependency Audit
on:
  pull_request:
  schedule:
    - cron: '0 6 * * 1'
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: npm
      - run: npm ci
      - run: npm audit --audit-level=high

Notes

  • Run it on a schedule too so newly disclosed CVEs surface even without a new PR.
  • On Latchkey managed runners audit jobs run cheaper and self-heal if a runner drops.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →