How to Run a Dependency Audit in GitHub Actions
Known vulnerabilities ship silently with every install; an audit gate makes them a failing check instead of a surprise.
Run npm audit --audit-level=high so the job fails when a high or critical advisory affects the dependency tree.
Steps
- Install dependencies with
npm cito lock the exact tree being audited. - Run
npm audit --audit-level=highso only high and critical issues fail the build. - Triage findings with
npm audit fixor an allowlist for accepted risks.
Workflow
.github/workflows/audit.yml
name: Dependency Audit
on:
pull_request:
schedule:
- cron: '0 6 * * 1'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: npm
- run: npm ci
- run: npm audit --audit-level=highNotes
- Run it on a schedule too so newly disclosed CVEs surface even without a new PR.
- On Latchkey managed runners audit jobs run cheaper and self-heal if a runner drops.
Related guides
How to Run a License Compliance Check in GitHub ActionsScan dependency licenses in GitHub Actions with license-checker and fail the build when a disallowed license…
How to Run a Secrets Scan on PRs in GitHub ActionsScan pull requests for leaked credentials in GitHub Actions with gitleaks so an accidentally committed key fa…