2022-03-31 18:31:39 +02:00
# dependency-review-action
2022-08-18 14:56:08 +02:00
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint ](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review ) that diffs the dependencies between any two revisions.
2022-04-06 16:00:03 -04:00
2022-06-15 09:32:17 -04:00
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
2022-03-31 18:31:39 +02:00
2022-08-01 21:07:02 +01:00
You can see the results on the job logs
2022-03-31 18:31:39 +02:00
< img width = "854" alt = "Screen Shot 2022-03-31 at 1 10 51 PM" src = "https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png" >
2022-08-01 21:07:02 +01:00
or on the job summary
< img src = "https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png" >
2022-03-31 18:31:39 +02:00
## Installation
2022-08-03 17:27:39 +02:00
**Please keep in mind that you need a [GitHub Advanced Security ](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security ) license if you're running this action on private repositories.**
2022-08-03 11:22:48 +02:00
2022-03-31 18:31:39 +02:00
1. Add a new YAML workflow to your `.github/workflows` folder:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
2022-06-14 12:16:03 -04:00
uses: actions/dependency-review-action@v2
2022-03-31 18:31:39 +02:00
```
2022-08-03 11:22:48 +02:00
### GitHub Enterprise Server
2022-09-19 17:57:08 +00:00
This action is available in Enterprise Server starting with version 3.6. Make sure
2022-08-03 11:22:48 +02:00
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3 .6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
2022-08-03 11:29:50 +02:00
Connect](https://docs.github.com/en/enterprise-server@3 .6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
2022-08-03 11:22:48 +02:00
are enabled.
You can use the same workflow as above, replacing the `runs-on` value
with the label of any of your runners (the default label
is `self-hosted` ):
```yaml
# ...
jobs:
dependency-review:
runs-on: self-hosted
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
```
2022-05-13 08:11:58 +02:00
2022-06-14 12:24:27 +02:00
## Configuration
2022-08-01 21:07:02 +01:00
2022-09-06 14:30:39 +02:00
Configure this action by either using an external configuration file,
2022-09-22 08:03:23 +02:00
or by inlining these options in your workflow file.
2022-09-06 14:30:39 +02:00
2022-09-22 14:26:27 +02:00
## Configuration Options
2022-09-06 14:30:39 +02:00
2022-09-22 14:26:27 +02:00
### config-file
2022-09-19 16:46:42 +02:00
2022-09-20 15:15:14 +02:00
A string representing the path to an external configuraton file. By
default external configuration files are not used.
2022-09-19 16:46:42 +02:00
2022-09-20 15:15:14 +02:00
**Possible values**: A string representing the absolute path to the
2022-09-22 22:44:17 +00:00
configuration file.
2022-09-19 16:46:42 +02:00
2022-09-20 15:15:14 +02:00
**Example**: `config-file: ./.github/dependency-review-config.yml` .
2022-09-19 16:46:42 +02:00
2022-09-22 14:26:27 +02:00
### fail-on-severity
2022-09-06 14:30:39 +02:00
Configure the severity level for alerting. See "[Vulnerability Severity ](https://github.com/actions/dependency-review-action#vulnerability-severity )".
**Possible values**: `critical` , `high` , `moderate` , `low` .
2022-09-06 14:36:50 +02:00
2022-09-06 14:30:39 +02:00
**Example**: `fail-on-severity: moderate` .
2022-09-22 14:26:27 +02:00
### fail-on-scopes
2022-09-21 16:50:02 +02:00
A list of strings representing the build environments you want to
support. The default value is `development, runtime` .
**Possible values**: `development` , `runtime` , `unknown`
2022-09-21 16:53:20 +02:00
**Inline example**: `fail-on-scopes: development, runtime`
**YAML example**:
2022-09-22 22:44:17 +00:00
2022-09-21 16:53:20 +02:00
```yaml
# this prevents scanning development dependencies
fail-on-scopes:
- runtime
```
2022-09-21 16:50:02 +02:00
2022-09-22 14:26:27 +02:00
### allow-licenses
2022-09-06 14:30:39 +02:00
Only allow the licenses in this list. See "[Licenses ](https://github.com/actions/dependency-review-action#licenses )".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `allow-licenses: BSD-3-Clause, MIT`
2022-09-06 14:36:50 +02:00
2022-09-06 14:30:39 +02:00
**YAML example**:
2022-09-22 22:44:17 +00:00
2022-09-06 14:30:39 +02:00
```yaml
allow-licenses:
- BSD-3-Clause
- MIT
```
2022-09-22 14:26:27 +02:00
### deny-licenses
2022-09-06 14:30:39 +02:00
Add a custom list of licenses you want to block. See
"[Licenses ](https://github.com/actions/dependency-review-action#licenses )".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `deny-licenses: LGPL-2.0, BSD-2-Clause`
2022-09-06 14:36:50 +02:00
2022-09-06 14:30:39 +02:00
**YAML example**:
2022-09-22 22:44:17 +00:00
2022-09-06 14:30:39 +02:00
```yaml
deny-licenses:
- LGPL-2.0
- BSD-2-Clause
```
2022-09-22 22:44:17 +00:00
### allow-ghsas
2022-09-23 12:32:46 -07:00
Add a custom list of GitHub Advisory IDs that can be skipped during detection.
2022-09-22 22:44:17 +00:00
**Possible values**: Any valid advisory GHSA ids.
**Inline example**: `allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679`
**YAML example**:
```yaml
allow-ghsas:
- GHSA-abcd-1234-5679
- GHSA-efgh-1234-5679
```
2022-09-22 14:26:27 +02:00
### base-ref/head-ref
2022-09-06 14:30:39 +02:00
Provide custom git references for the git base/head when performing
the comparison. If you are using pull requests, or
`pull_request_target` events you do not need to worry about setting
this. The values need to be specified for all other event types.
**Possible values**: Any valid git ref(s) in your project.
2022-09-06 14:36:50 +02:00
2022-09-06 14:30:39 +02:00
**Example**:
2022-09-22 22:44:17 +00:00
2022-09-06 14:30:39 +02:00
```yaml
base-ref: 8bb8a58d6a4028b6c2e314d5caaf273f57644896
head-ref: 69af5638bf660cf218aad5709a4c100e42a2f37b
```
### Configuration File
2022-09-19 16:46:42 +02:00
You can use an external configuration file to specify the settings for
this Action.
Start by specifying that you will be using an external configuration
file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
2022-09-22 22:44:17 +00:00
config-file: './.github/dependency-review-config.yml'
2022-09-19 16:46:42 +02:00
```
2022-09-20 15:15:14 +02:00
And then create the file in the path you just specified. **All of these fields are
2022-09-19 16:46:42 +02:00
optional**:
2022-09-06 14:30:39 +02:00
```yaml
2022-09-22 22:44:17 +00:00
fail-on-severity: 'critical'
2022-09-06 14:30:39 +02:00
allow-licenses:
2022-09-22 22:44:17 +00:00
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
2022-09-06 14:30:39 +02:00
```
### Inline Configuration
You can pass options to the Dependency Review
Action using your workflow file. Here's an example of what the full
file would look like:
2022-06-14 12:24:27 +02:00
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
2022-09-06 14:30:39 +02:00
fail-on-severity: moderate
2022-06-14 12:24:27 +02:00
2022-09-06 14:30:39 +02:00
# Use comma-separated names to pass list arguments:
deny-licenses: LGPL-2.0, BSD-2-Clause
```
2022-07-21 15:47:05 -04:00
2022-06-14 12:24:27 +02:00
### Vulnerability Severity
2022-06-14 12:16:03 -04:00
By default the action will fail on any pull request that contains a
2022-06-14 12:24:27 +02:00
vulnerable dependency, regardless of the severity level. You can override this behavior by
2022-06-14 12:16:03 -04:00
using the `fail-on-severity` option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: `critical` , `high` , `moderate` , or `low` . The
action defaults to `low` .
2022-06-14 12:24:27 +02:00
2022-06-14 12:16:03 -04:00
This example will only fail on pull requests with `critical` and `high` vulnerabilities:
2022-06-14 12:24:27 +02:00
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: high
```
2022-09-15 20:40:38 +00:00
### Dependency Scoping
2022-09-19 17:57:08 +00:00
By default the action will only fail on `runtime` dependencies that have vulnerabilities or unacceptable licenses, ignoring `development` dependencies. You can override this behavior with the `fail-on-scopes` option, which will allow you to list the specific dependency scopes you care about. The possible values are: `unknown` , `runtime` , and `development` . Note: Filtering by scope will not be supported on Enterprise Server just yet, as the REST API's introduction of `scope` will be released in an upcoming Enterprise Server version. We will treat all dependencies on Enterprise Server as having a `runtime` scope and thus will not be filtered away.
2022-09-15 20:40:38 +00:00
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-scopes: runtime, development
```
2022-06-14 12:24:27 +02:00
### Licenses
2022-06-14 12:16:03 -04:00
You can set the action to fail on pull requests based on the licenses of the dependencies
2022-06-14 12:24:27 +02:00
they introduce. With `allow-licenses` you can define the list of licenses
2022-06-14 12:16:03 -04:00
your repository will accept. Alternatively, you can use `deny-licenses` to only
2022-09-19 17:57:08 +00:00
forbid a subset of licenses. These options are not supported on Enterprise Server.
2022-06-14 12:24:27 +02:00
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
supported licenses. Use the `spdx_id` field for every license you want
to filter. A couple of examples:
```yaml
# only allow MIT-licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
allow-licenses: MIT
```
```yaml
# Block Apache 1.1 and 2.0 licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
deny-licenses: Apache-1.1, Apache-2.0
```
2022-09-06 14:30:39 +02:00
### Considerations
2022-06-14 12:24:27 +02:00
2022-09-19 17:57:08 +00:00
- Checking for licenses is not supported on Enterprise Server.
2022-09-15 20:40:38 +00:00
- The action will only accept one of the two parameters; an error will
be raised if you provide both.
- By default both parameters are empty (no license checking is
performed).
- We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
2022-06-14 14:11:01 +02:00
2022-06-14 22:32:34 -04:00
## Blocking pull requests
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches ](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging ).
2022-03-31 18:31:39 +02:00
## Getting help
If you have bug reports, questions or suggestions please [create a new
issue](https://github.com/actions/dependency-review-action/issues/new/choose).
## Contributing
2022-06-14 12:24:27 +02:00
We are grateful for any contributions made to this project.
2022-03-31 18:31:39 +02:00
Please read [CONTRIBUTING.MD ](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md ) to get started.
## License
2022-08-01 21:07:02 +01:00
2022-03-31 18:31:39 +02:00
This project is released under the [MIT License ](https://github.com/actions/dependency-review-action/blob/main/LICENSE ).