Here's my truncated run output with the following config:

name: 'NodeSecure Continuous Integration'
on:
  push:
    branches:
      - main
  pull_request:

jobs:
  validation:
    name: 'Validation'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: NodeSecure/ci-action@v1
        with:
          strategy: npm
          vulnerabilities: all
          warnings: warning
          reporters: console

node_modules/.bin/nsci --strategy=npm  --vulnerabilities=all  --warnings=warning --reporters=console

 info package-lock.json will be used during the analysis

 info Using npm vulnerability strategy


 @nodesecure/scanner Analysis started

 @nodesecure/scanner Analysis ended

 611 dependencies analyzed from project

 @nodesecure/ci Pipeline checks started

 ✖ 2 global warnings

 unsafe-regex dotenv/lib/main.js:5:13,5:155

... (all other warnings)

 parsing-error mkdirp/bin/cmd.js:0:0,0:0

 ✖ 2396 dependency warnings

 ✖ 3 vulnerabilities

 medium [node-forge] Open Redirect in node-forge <1.0.0

 low [xmldom] Misinterpretation of malicious XML input <0.5.0

 medium [xmldom] Misinterpretation of malicious XML input <0.7.0

 @nodesecure/ci Pipeline checks ended 29ms

 ✖ 2 global warnings | ✖ 2396 dependency warnings | ✖ 3 vulnerabilities

 [FAILURE] Pipeline failed

Problems:

• ✖ 2 global warnings: The 2 global warnings don't seem to appear in the output
• ✖ 2396 dependency warnings appears after the list of dependency warnings while ✖ 3 vulnerabilities appears before the list of vulnerabilities (inconsistent)
• ✖ 2396 dependency warnings: I set the "warnings" option to "warning", so it should probably use another emoji (maybe ⚠️) to indicate that the run wouldn't fail because of them.

See: https://github.com/github/roadmap/issues/470

The feature isn't available yet on GitHub, but I think it will be a nice addition once we can use it!

Linked to #2

The goal is to provide a simple and more readable summary (in the same spirit as the CLI reporter that can be shown in the GitHub action output).

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade @actions/core from 1.9.1 to 1.10.0.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

• The recommended version is 1 version ahead of your current version.
• The recommended version was released 21 days ago, on 2022-09-29.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.