Skip to content
Latchkey

Running npm audit in GitHub Actions

Make npm audit a CI gate without letting transitive noise block every build.

npm audit ships with npm and checks your dependency tree against the GitHub Advisory Database. As a CI gate it is zero-install, but it can be noisy and occasionally flaky on network hiccups. Setting --audit-level keeps the gate focused on real risk.

What you need

  • A committed package-lock.json.
  • Node set up in the workflow.
  • A chosen --audit-level (low, moderate, high, critical).

The workflow

Fail only on high-or-worse advisories.

.github/workflows/ci.yml
- uses: actions/setup-node@v4
  with:
    node-version: 20
    cache: npm

- run: npm ci
- run: npm audit --audit-level=high

Common gotchas

  • Without --audit-level, low-severity advisories fail every build.
  • npm audit hits the registry, so a transient network error can fail CI - consider a retry.
  • Many advisories are transitive and unfixable; use overrides or audit signatures to scope the gate.

Key takeaways

  • npm audit is built in and checks the GitHub Advisory Database.
  • Set --audit-level=high to focus the gate on real risk.
  • Expect transitive noise and occasional network flakiness.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →