In my CI, I use npm audit to find what are my vulnerable dependencies. I would like my pipeline to add a comment to my merge request listing vulnerable libraries above a given threshold. What would be the best way to do it?
Thanks
I tried: not much actually. I already know how to make my pipeline fail if vulnerabilities are found, but that is not what I am after. I am looking for merge request decoration.
I think the best tool for this would be Danger.JS which you can easily integrate on your pipelines to display cool stuff - it will add a comment with the data you want to display.
There's this npm-audit plugin that displays all of the vulnerabilities found. You can even write your own code to display as much data as you'd like to and tweak the format as well.
Hope it helps!