Skip to content

Audit not failing in GitLab CI pipeline #345

Open
Open
Audit not failing in GitLab CI pipeline#345
@MacPiston

Description

@MacPiston
MacPiston
opened on Oct 16, 2024

Expected behavior:
Audit should fail because of vulnerable dependencies detected in project.
Output:

Failed security audit due to high vulnerabilities.
Vulnerable advisories are:
https://github.com/advisories/xxx
https://github.com/advisories/yyy
https://github.com/advisories/zzz
Exiting...

Acutal behavior:
Audit passes despite detecting vulnerable dependencies in project.
Output:

PNPM audit report summary:
{
  "vulnerabilities": {
    "info": 0,
    "low": 2,
    "moderate": 7,
    "high": 3,
    "critical": 0
  },
  "dependencies": 865,
  "devDependencies": 0,
  "optionalDependencies": 0,
  "totalDependencies": 865
}
Passed pnpm security audit.

Config:

{
  "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
  "package-manager": "pnpm",
  "skip-dev": true,
  "high": true
}

Description:
When using GitLab CI (self-hosted instance, gitlab-runner 17.3.1 + node:18-bullseye-slim) running audit-ci does not fail, even though summary correctly lists high vulnerabilities. Running exactly the same audit locally causes failure due to high vulnerabilities (expected behavior). It does not matter whether json or CLI config is used - audit-ci always fails to exit on detecting vulnerabilities when running on GitLab CI pipeline.

Project uses PNPM version 9.1.1 (although the same behavior has been observed on latest i.e. 9.12.1)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions