dependabot[bot] d8d3455ed6 Bump the npm_and_yarn group with 4 updates
Bumps the npm_and_yarn group with 4 updates: [tar](https://github.com/isaacs/node-tar), [yaml](https://github.com/eemeli/yaml), [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) and [undici](https://github.com/nodejs/undici).


Updates `tar` from 6.1.13 to 6.2.1
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](https://github.com/isaacs/node-tar/compare/v6.1.13...v6.2.1)

Updates `yaml` from 2.2.1 to 2.2.2
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.2.1...v2.2.2)

Updates `@babel/traverse` from 7.20.5 to 7.24.5
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.24.5/packages/babel-traverse)

Updates `undici` from 5.21.0 to 5.28.4
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.21.0...v5.28.4)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@babel/traverse"
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-05-07 20:32:29 +00:00
2022-08-25 09:12:00 -07:00
2022-08-25 09:12:00 -07:00
2022-08-25 09:12:00 -07:00
2023-01-21 22:04:05 +00:00
2023-04-07 15:07:03 -07:00
2023-04-07 16:21:17 -07:00
2022-08-25 09:12:00 -07:00
2023-05-12 14:48:18 -04:00
2023-01-22 01:06:08 +00:00

Component detection dependency submission action

This GitHub Action runs the microsoft/component-detection library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems.

Example workflow


name: Component Detection

on:
  workflow_dispatch:
  push:

permissions: 
  id-token: write
  contents: write

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Component detection 
        uses: advanced-security/component-detection-dependency-submission-action@v0.0.2

Configuration options

Parameter Description Example
filePath The path to the directory containing the environment files to upload. Defaults to Actions working directory. '.'
directoryExclusionList Filters out specific directories following a minimatch pattern. test
detectorArgs Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. Pip=EnableIfDefaultOff
dockerImagesToScan Comma separated list of docker image names or hashes to execute container scanning on ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab
detectorsFilter A comma separated list with the identifiers of the specific detectors to be used. Pip, RustCrateDetector

For more information: https://github.com/microsoft/component-detection

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

Description
Mirror of github.com/actions/component-detection-dependency-submission-action
Readme 37 MiB
Languages
TypeScript 96.4%
JavaScript 3.6%