Vulnerability auditor

Evaluates enriched vulnerability records against severity and allowlist policy.

User notes

Needs vulnerability data on packages, so pair it with --enrich (or ingest an SBOM that already carries advisories). --allow-vulnerability-id suppresses specific CVE/GHSA IDs you have triaged.

What the vulnerability auditor does

It walks every package in the resolved graph, reads the vulnerability records that matchers attached during enrichment, and turns each one into a finding when it matches policy. It does not fetch anything itself — it evaluates data that is already on the graph.

A finding is produced for every advisory on a package unless its ID is in the allowlist. Whether a finding fails the build is decided separately by --fail-on (see AUDITORS.md).

Options

Examples

# Fail CI on any high-or-critical vulnerability
bomly scan --enrich --audit --fail-on high

# Same gate, but accept one advisory you've assessed as not exploitable
bomly scan --enrich --audit --fail-on high \
  --allow-vulnerability-id GHSA-xxxx-yyyy-zzzz

# Only fail when a high-severity advisory is also reachable
bomly scan --enrich --audit --analyze \
  --fail-on high --fail-on reachable

Limitations

• Garbage in, garbage out. The auditor is only as good as the matcher data. Run --enrich (or ingest an SBOM with advisories) or it will find nothing.
• Allowlisting is by ID, not by package. --allow-vulnerability-id suppresses an advisory everywhere it appears, across every package.
• Reachability is experimental. --fail-on reachable depends on --analyze; an unknown reachability status does not mean "safe." See REACHABILITY.md.