Audit not failing in GitLab CI pipeline #345
Description
Expected behavior:
Audit should fail because of vulnerable dependencies detected in project.
Output:
Failed security audit due to high vulnerabilities.
Vulnerable advisories are:
https://github.com/advisories/xxx
https://github.com/advisories/yyy
https://github.com/advisories/zzz
Exiting...
Acutal behavior:
Audit passes despite detecting vulnerable dependencies in project.
Output:
PNPM audit report summary:
{
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 7,
"high": 3,
"critical": 0
},
"dependencies": 865,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 865
}
Passed pnpm security audit.
Config:
{
"$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
"package-manager": "pnpm",
"skip-dev": true,
"high": true
}
Description:
When using GitLab CI (self-hosted instance, gitlab-runner 17.3.1 + node:18-bullseye-slim) running audit-ci does not fail, even though summary correctly lists high vulnerabilities. Running exactly the same audit locally causes failure due to high vulnerabilities (expected behavior). It does not matter whether json or CLI config is used - audit-ci always fails to exit on detecting vulnerabilities when running on GitLab CI pipeline.
Project uses PNPM version 9.1.1 (although the same behavior has been observed on latest i.e. 9.12.1)