c876ddf858
Add weekly check for dependency vulnerabilities. Asana: https://app.asana.com/1/10497086658021/project/1210456585958356/task/1210561338171143
31 lines
944 B
Bash
Executable File
31 lines
944 B
Bash
Executable File
#!/bin/bash
|
|
|
|
severity=${1:-"critical"}
|
|
audit_json=$(pnpm audit --prod --json)
|
|
output_file="audit_output.json"
|
|
|
|
echo "Auditing for ${severity} vulnerabilities..."
|
|
|
|
echo "${audit_json}" | jq --arg severity "${severity}" '
|
|
.advisories | to_entries |
|
|
map(select(.value.patched_versions != "<0.0.0" and .value.severity == $severity) |
|
|
{
|
|
package: .value.module_name,
|
|
vulnerable: .value.vulnerable_versions,
|
|
fixed_in: .value.patched_versions
|
|
}
|
|
)
|
|
' >$output_file
|
|
|
|
audit_length=$(jq 'length' $output_file)
|
|
|
|
if [[ "${audit_length}" -gt "0" ]]; then
|
|
echo "Actionable vulnerabilities found in the following packages:"
|
|
jq -r '.[] | "\u001b[1m\(.package)\u001b[0m vulnerable in \u001b[31m\(.vulnerable)\u001b[0m fixed in \u001b[32m\(.fixed_in)\u001b[0m"' $output_file | while read -r line; do echo -e "$line"; done
|
|
echo "Output written to ${output_file}"
|
|
exit 1
|
|
else
|
|
echo "No actionable vulnerabilities"
|
|
exit 0
|
|
fi
|