chore: move npm audit to a dedicate task (#6297)

Move 'npm audit' execution to a dedicated target (and corresponding
step) so that we can modularize it, and avoid that it blocks that whole
test suite.

.github/workflows/ci.yml

@@ -252,7 +252,14 @@ jobs:
       - set-build-metadata
       - build-container-image
       - build-test-suite-matrix
+    # Don't fail the entire test suite when:
+    # - Running npm audit, so we can see test results even if there are
+    #   vulnerable dependencies that might be unrelated to the PR
+    # - Running the 'test' target because it runs all the tests, including the
+    #   ones that are allowed to fail
+    continue-on-error: ${{ matrix.test-case == 'npm-audit' || matrix.test-case == 'test' }}
     strategy:
+      fail-fast: true
       matrix:
         test-case: ${{ fromJson(needs.build-test-suite-matrix.outputs.matrix) }}
         images:

Dockerfile

@@ -85,7 +85,6 @@ RUN apk add --no-cache \
 COPY dependencies/package.json dependencies/package-lock.json /
 RUN apk add --no-cache --virtual .node-build-deps \
   npm \
-  && npm audit \
   && npm install --strict-peer-deps \
   && npm cache clean --force \
   && chown -R "$(id -u)":"$(id -g)" node_modules \

Makefile

@@ -4,7 +4,7 @@
 all: info docker test ## Run all targets.
 
 .PHONY: test
-test: info validate-container-image-labels docker-build-check docker-dev-container-build-check test-lib inspec lint-codebase fix-codebase test-default-config-files test-actions-runner-debug test-actions-steps-debug test-runner-debug test-find lint-subset-files test-custom-ssl-cert test-non-default-workdir test-git-flags test-non-default-home-directory test-git-initial-commit test-git-merge-commit-push test-log-level test-use-find-and-ignore-gitignored-files test-linters-expect-failure-log-level-notice test-bash-exec-library-expect-success test-bash-exec-library-expect-failure test-save-super-linter-output test-save-super-linter-output-custom-path test-save-super-linter-custom-summary test-custom-gitleaks-log-level test-dont-save-super-linter-log-file test-dont-save-super-linter-output test-linters test-linters-fix-mode ## Run the test suite
+test: info validate-container-image-labels docker-build-check docker-dev-container-build-check npm-audit test-lib inspec lint-codebase fix-codebase test-default-config-files test-actions-runner-debug test-actions-steps-debug test-runner-debug test-find lint-subset-files test-custom-ssl-cert test-non-default-workdir test-git-flags test-non-default-home-directory test-git-initial-commit test-git-merge-commit-push test-log-level test-use-find-and-ignore-gitignored-files test-linters-expect-failure-log-level-notice test-bash-exec-library-expect-success test-bash-exec-library-expect-failure test-save-super-linter-output test-save-super-linter-output-custom-path test-save-super-linter-custom-summary test-custom-gitleaks-log-level test-dont-save-super-linter-log-file test-dont-save-super-linter-output test-linters test-linters-fix-mode ## Run the test suite
 
 # if this session isn't interactive, then we don't want to allocate a
 # TTY, which would fail, but if it is interactive, we do want to attach
@@ -165,6 +165,17 @@ validate-container-image-labels: ## Validate container image labels
 		$(BUILD_REVISION) \
 		$(BUILD_VERSION)
 
+.PHONY: npm-audit
+npm-audit: ## Run npm audit to check for known vulnerable dependencies
+	docker run $(DOCKER_FLAGS) \
+		--entrypoint /bin/bash \
+		--rm \
+		-v "$(CURDIR)/dependencies/package-lock.json":/package-lock.json \
+		-v "$(CURDIR)/dependencies/package.json":/package.json \
+		--workdir / \
+		$(SUPER_LINTER_TEST_CONTAINER_URL) \
+		-c "npm audit"
+
 # For some cases, mount a directory that doesn't have too many files to keep tests short
 
 .PHONY: test-actions-runner-debug