audit — Dependency Vulnerability Audit
Audits project dependencies for known vulnerabilities by querying the OSV database (Open Source Vulnerabilities). Supports 6 ecosystems and auto-detects the manifest file.
Supported ecosystems
| Ecosystem | Manifest file |
|---|---|
| Rust | Cargo.lock |
| Node.js | package-lock.json, yarn.lock, pnpm-lock.yaml |
| Python | requirements.txt, Pipfile.lock, poetry.lock |
| Go | go.sum |
| Ruby | Gemfile.lock |
| .NET | packages.lock.json |
Usage
greengate audit [OPTIONS]
Options:
-h, --help Print helpSuppressing known-acceptable advisories
Some transitive dependency vulnerabilities cannot be fixed by upgrading a direct dependency — the affected package is pulled in by a tool (webpack, jest, turbo) that has not yet released a compatible upgrade. Blanket-suppressing entire packages is too broad; instead, suppress individual advisory IDs so that new advisories still fail the build.
Add an [audit] section to .greengate.toml:
[audit]
# GHSA/CVE IDs to suppress.
# Document WHY each entry is acceptable in a comment above it.
# Re-evaluate when upstream tools release new major versions.
ignore_advisories = [
# ajv@6.x — used internally by webpack/jest schema tooling.
# No direct dependency; cannot be forced without breaking webpack APIs.
"GHSA-2G4F-4PWH-QVX6",
# minimatch — pulled by glob/jest/eslint across major versions.
# Forcing a single version breaks dependents that rely on separate major APIs.
"GHSA-23C5-XMQV-RM74",
"GHSA-3PPC-4F35-3M26",
# rollup@3.x — bundled inside vite/webpack dev dependencies.
# Production builds do not ship rollup; upgrade path blocked by vite compat.
"GHSA-MW96-CPMX-2VGC",
]Suppressed advisories are shown as warnings ([suppressed]) in the output but do not fail the build. Only advisories not in ignore_advisories exit with code 1.
Examples
# Audit from the current directory (auto-detects manifest)
greengate auditSample output — findings present
ℹ️ Auditing dependencies via OSV...
⚠️ [suppressed] GHSA-2G4F-4PWH-QVX6 — ajv 6.12.6 (known acceptable transitive dep)
⚠️ Found 2 actionable vulnerability/ies:
[GHSA-xxxx-yyyy-zzzz] openssl 0.10.55 — Use-after-free in X.509 certificate verification
[GHSA-aaaa-bbbb-cccc] serde_json 1.0.85 — Stack overflow on deeply nested input
Error: Audit failed: 2 vulnerability/ies found.Sample output — all clear
ℹ️ Auditing dependencies via OSV...
✅ No actionable vulnerabilities found (2 suppressed).In GitHub Actions
- name: Dependency Audit
run: greengate auditExits 0 when no actionable vulnerabilities are found, 1 otherwise.
Workflow: handling unfixable transitive dependencies
- Run
greengate auditand note the advisory IDs that fail. - For each failing advisory, check whether you control the affected package directly (i.e., it appears in your top-level
package.json/Cargo.toml).- Yes — upgrade or pin to a patched version.
- No (transitive) — check whether upgrading any direct dependency removes the transitive dep. If not, add the advisory ID to
ignore_advisorieswith a comment explaining why.
- Re-run
greengate auditto confirm only suppressed advisories remain. - Set a calendar reminder to re-evaluate suppressed advisories when the upstream tool releases a new major version.