Running npm audit in GitHub Actions
Make npm audit a CI gate without letting transitive noise block every build.
npm audit ships with npm and checks your dependency tree against the GitHub Advisory Database. As a CI gate it is zero-install, but it can be noisy and occasionally flaky on network hiccups. Setting --audit-level keeps the gate focused on real risk.
What you need
- A committed package-lock.json.
- Node set up in the workflow.
- A chosen --audit-level (low, moderate, high, critical).
The workflow
Fail only on high-or-worse advisories.
.github/workflows/ci.yml
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- run: npm ci
- run: npm audit --audit-level=highCommon gotchas
- Without --audit-level, low-severity advisories fail every build.
- npm audit hits the registry, so a transient network error can fail CI - consider a retry.
- Many advisories are transitive and unfixable; use overrides or audit signatures to scope the gate.
Key takeaways
- npm audit is built in and checks the GitHub Advisory Database.
- Set --audit-level=high to focus the gate on real risk.
- Expect transitive noise and occasional network flakiness.
Related guides
Running pip-audit in GitHub ActionsAudit Python dependencies for vulnerabilities with pip-audit in GitHub Actions, scan requirements or the envi…
Adding Snyk to GitHub ActionsScan dependencies for vulnerabilities with Snyk in GitHub Actions, set a severity threshold, and upload SARIF…
Adding OSV-Scanner to GitHub ActionsScan lockfiles against the OSV database with Google OSV-Scanner in GitHub Actions using the reusable workflow…