Add npm audit and list output to OSV PR comments.

BigBlueHat · BigBlueHat · commit 64442e54b862 · 2025-10-10T14:38:00.000-04:00
diff --git a/.github/workflows/osv-scanner-pr.yaml b/.github/workflows/osv-scanner-pr.yaml
@@ -100,12 +100,75 @@ jobs:
         uses: juliangruber/read-file-action@b549046febe0fe86f8cb4f93c24e284433f9ab58 # v1.1.7
         with:
           path: new-results.md
-      - name: Add OSV comment
+
+      # Run npm audit and npm list to build up additional report explanations
+      - name: npm audit
+        id: npm_audit
+        run: |
+          echo 'result=$(npm audit --json)' >> $GITHUB_OUTPUT
+        continue-on-error: true
+      - name: npm audit
+        id: audit_report
+        run: |
+          AUDIT=$(echo "${{ toJson(steps.npm_audit.outputs.result) }}" | jq -r '
+            "| Severity | Name | Version | Fix Available |",
+            "| --- | --- | --- | --- |",
+            (.vulnerabilities | to_entries | .[] |
+              "| \(.value.severity) | \(.key) | \(.value.range) | \(.value.fixAvailable.version) |"
+            )')
+          # Use a random delimiter to capture the multi-line output
+          delimiter=$(openssl rand -hex 8)
+          echo "result<<$delimiter" >> $GITHUB_OUTPUT
+          echo "$AUDIT" >> $GITHUB_OUTPUT
+          echo "$delimiter" >> $GITHUB_OUTPUT
+        continue-on-error: true
+      - name: npm list vulnerable dependencies
+        id: list_report
+        run: |
+          DEPS=$(echo "${{ toJSON(steps.npm_audit.outputs.result) }}" | jq -r '[.vulnerabilities | to_entries[] | .key] | join(" ")')
+          LIST=$(npm list $DEPS --json | jq -r '
+            def walk_tree(prefix):
+              to_entries | map(
+                "\(prefix)\(.key)@\(.value.version)\n" +
+                if .value.dependencies then
+                  (.value.dependencies | walk_tree("  " + prefix))
+                else
+                  ""
+                end
+              ) | join("");
+            .dependencies | walk_tree("* ")')
+          # Use a random delimiter to capture the multi-line output
+          delimiter=$(openssl rand -hex 8)
+          echo "result<<$delimiter" >> $GITHUB_OUTPUT
+          echo "$LIST" >> $GITHUB_OUTPUT
+          echo "$delimiter" >> $GITHUB_OUTPUT
+        continue-on-error: true
+
+      # Combine OSV, npm audit, and npm list output into a single comment
+      - name: Add a comment containing OSV, npm audit, and npm list output
         uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
         with:
           message: |
             ## Vulnerability results from base branch
             ${{ steps.old.outputs.content }}
 
+            ### npm audit
+
+            ${{ steps.audit_report.outputs.result }}
+
+            ### npm list
+
+            ${{ steps.list_report.outputs.result }}
+
+            ---
+
             ## Vulnerability results from current PR branch
             ${{ steps.new.outputs.content }}
+
+            ### npm audit
+
+            ${{ steps.audit_report.outputs.result }}
+
+            ### npm list
+
+            ${{ steps.list_report.outputs.result }}
