Gathering detailed insights and metrics for @npmcli/ci-detect
Gathering detailed insights and metrics for @npmcli/ci-detect
Detect what kind of CI environment the program is in
Installations
npm install @npmcli/ci-detectDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
^14.17.0 || ^16.13.0 || >=18.0.0
Node Version
18.12.0
NPM Version
9.1.1
Score
99.9
Supply Chain
93.6
Quality
81.7
Maintenance
100
Vulnerability
100
License
Releases
4
Languages
1
JavaScript
JavaScript (100%)
Developer
npm
Download Statistics
Total Downloads
230,913,469
Last Day
37,612
Last Week
599,888
Last Month
2,610,825
Last Year
26,949,941
GitHub Statistics
ISC License
53 Stars
73 Commits
13 Forks
4 Watchers
2 Branches
71 Contributors
Updated on Nov 15, 2023
Bundle Size
1.86 kB
Minified
845.00 B
Minified + Gzipped
Maintainers
5
Package Meta Information
Latest Version
3.0.2
Package Id
@npmcli/ci-detect@3.0.2
Unpacked Size
6.79 kB
Size
3.14 kB
File Count
4
NPM Version
9.1.1
Node Version
18.12.0
Total Downloads
Cumulative downloads
Total Downloads
230,913,469
Last Day
-33%
37,612
Compared to previous day
Last Week
-17.1%
599,888
Compared to previous week
Last Month
21.2%
2,610,825
Compared to previous month
Last Year
-25.5%
26,949,941
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
3
@npmcli/ci-detect
Detect what kind of CI environment the program is in
USAGE
1const ciDetect = require('@npmcli/ci-detect') 2// false if not in CI 3// otherwise, a string indicating the CI environment type 4const inCI = ciDetect()
CIs Detected
Returns one of the following strings, or false if none match, by looking
at the appropriate environment variables.
- Anything that sets the
CI_NAMEenvironment variable will return the value as the result. (This is how CodeShip is detected.) 'aws-codebuild'AWS CodeBuild'azure-pipelines'Azure Pipelines'bamboo'Bamboo'bitbucket-pipelines'Bitbucket Pipelines'bitrise'Bitrise'buddy'Buddy'builder'Google Cloud Builder - This one is a bit weird. It doesn't really set anything that can be reliably detected exceptBUILDER_OUTPUT, so it can get false positives pretty easily.'buildkite'Buildkite'circleci'Circle-CI'cirrus'Cirrus CI'codeship'CodeShip'custom'anything else that setsCIenvironment variable to either'1'or'true'.'drone'Drone'dsari'dsari CI'gerrit'Gerrit'github-actions'GitHub Actions'gitlab'GitLab'gocd'GoCD'heroku'Heroku'hudson'Hudson CI'jenkins'Jenkins'magnum'Magnum CI'netlify'Netlify'nevercode'Nevercode'now'Zeit.co's Now service, but not GitHub/BitBucket/GitLab'now-bitbucket'Zeit.co's Now for BitBucket deployment service'now-github'Zeit.co's Now for GitHub deployment service'now-gitlab'Zeit.co's Now for GitLab deployment service'render'Render CI'sail'Sail CI'screwdriver'Screwdriver CI'semaphore'Semaphore'shippable'Shippable'strider'Strider CI'taskcluster'Mozilla Taskcluster'tddium'TDDium'teamcity'TeamCity'travis-ci'Travis-CI - A few other CI systems setTRAVIS=1in the environment, because devs use that to indicate "test mode", so this one can get some false positives, and is tested later in the process to minimize this effect.'vercel'Vercel'vercel-bitbucket'Vercel Bitbucket'vercel-github'Vercel GitHub'vercel-gitlab'Vercel Gitlab'wercker'Oracle Wercker'woodpecker'Woodpecker CI
Caveats
Since any program can set or unset whatever environment variables they want, this is not 100% reliable.
Also, if your program does different behavior in CI/test/deployment than other places, then there's a good chance that you're doing something wrong!
But, for little niceties like setting colors or other output parameters, or logging and that sort of non-essential thing, this module provides a way to tweak without checking a bunch of things in a bunch of places. Mostly, it's a single place to keep a note of what CI system sets which environment variable.
No vulnerabilities found.
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: ISC License: LICENSE:0
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 0 commits out of 27 are checked with a SAST tool
Reason
Found 3/6 approved changesets -- score normalized to 5
Reason
project is archived
Details
- Warn: Repository is archived.
Reason
dangerous workflow patterns detected
Details
- Warn: script injection with untrusted input ' github.event.pull_request.title ': .github/workflows/pull-request.yml:47
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:175: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:183: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:211: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/post-dependabot.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/post-dependabot.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/post-dependabot.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/pull-request.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/pull-request.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:325: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:380: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:127: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:150: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:185: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:228: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:266: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/ci-detect/release.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:32
- Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:36
- Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:87
- Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:91
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:37
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:41
- Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:33
- Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:37
- Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:36
- Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:40
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:330
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:51
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:55
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:164
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:168
- Info: 0 out of 29 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 9 third-party GitHubAction dependencies pinned
- Info: 0 out of 15 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:23
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:24
- Warn: no topLevel permission defined: .github/workflows/audit.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/post-dependabot.yml:8
- Warn: no topLevel permission defined: .github/workflows/pull-request.yml:1
- Warn: topLevel 'checks' permission set to 'write': .github/workflows/release.yml:20
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:18
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
4.1
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More