Files
dependency-review-action/README.md

310 lines
9.7 KiB
Markdown
Raw Normal View History

2022-03-31 18:31:39 +02:00
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
2022-04-06 16:00:03 -04:00
2022-06-15 09:32:17 -04:00
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
2022-03-31 18:31:39 +02:00
You can see the results on the job logs
2022-03-31 18:31:39 +02:00
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
or on the job summary
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
2022-03-31 18:31:39 +02:00
## Installation
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
2022-08-03 11:22:48 +02:00
2022-03-31 18:31:39 +02:00
1. Add a new YAML workflow to your `.github/workflows` folder:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
2022-03-31 18:31:39 +02:00
```
2022-08-03 11:22:48 +02:00
### GitHub Enterprise Server
2022-09-19 17:57:08 +00:00
This action is available in Enterprise Server starting with version 3.6. Make sure
2022-08-03 11:22:48 +02:00
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
2022-08-03 11:29:50 +02:00
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
2022-08-03 11:22:48 +02:00
are enabled.
You can use the same workflow as above, replacing the `runs-on` value
with the label of any of your runners (the default label
is `self-hosted`):
```yaml
# ...
jobs:
dependency-review:
runs-on: self-hosted
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
```
2022-05-13 08:11:58 +02:00
2022-06-14 12:24:27 +02:00
## Configuration
Configure this action by either using an external configuration file,
or by inlining these options in your workflow file.
2022-09-22 14:26:27 +02:00
## Configuration Options
2022-09-22 14:26:27 +02:00
### config-file
A string representing the path to an external configuraton file. By
default external configuration files are not used.
**Possible values**: A string representing the absolute path to the
2022-09-22 22:44:17 +00:00
configuration file.
**Example**: `config-file: ./.github/dependency-review-config.yml`.
2022-09-22 14:26:27 +02:00
### fail-on-severity
Configure the severity level for alerting. See "[Vulnerability Severity](https://github.com/actions/dependency-review-action#vulnerability-severity)".
**Possible values**: `critical`, `high`, `moderate`, `low`.
2022-09-06 14:36:50 +02:00
**Example**: `fail-on-severity: moderate`.
2022-09-22 14:26:27 +02:00
### fail-on-scopes
A list of strings representing the build environments you want to
support. The default value is `development, runtime`.
**Possible values**: `development`, `runtime`, `unknown`
2022-09-21 16:53:20 +02:00
**Inline example**: `fail-on-scopes: development, runtime`
**YAML example**:
2022-09-22 22:44:17 +00:00
2022-09-21 16:53:20 +02:00
```yaml
# this prevents scanning development dependencies
fail-on-scopes:
- runtime
```
2022-09-22 14:26:27 +02:00
### allow-licenses
Only allow the licenses in this list. See "[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `allow-licenses: BSD-3-Clause, MIT`
2022-09-06 14:36:50 +02:00
**YAML example**:
2022-09-22 22:44:17 +00:00
```yaml
allow-licenses:
- BSD-3-Clause
- MIT
```
2022-09-22 14:26:27 +02:00
### deny-licenses
Add a custom list of licenses you want to block. See
"[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `deny-licenses: LGPL-2.0, BSD-2-Clause`
2022-09-06 14:36:50 +02:00
**YAML example**:
2022-09-22 22:44:17 +00:00
```yaml
deny-licenses:
- LGPL-2.0
- BSD-2-Clause
```
2022-09-22 22:44:17 +00:00
### allow-ghsas
Add a custom list of GitHub Advisory IDs that can be skipped during detection.
2022-09-22 22:44:17 +00:00
**Possible values**: Any valid advisory GHSA ids.
**Inline example**: `allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679`
**YAML example**:
```yaml
allow-ghsas:
- GHSA-abcd-1234-5679
- GHSA-efgh-1234-5679
```
2022-09-22 14:26:27 +02:00
### base-ref/head-ref
Provide custom git references for the git base/head when performing
the comparison. If you are using pull requests, or
`pull_request_target` events you do not need to worry about setting
this. The values need to be specified for all other event types.
**Possible values**: Any valid git ref(s) in your project.
2022-09-06 14:36:50 +02:00
**Example**:
2022-09-22 22:44:17 +00:00
```yaml
base-ref: 8bb8a58d6a4028b6c2e314d5caaf273f57644896
head-ref: 69af5638bf660cf218aad5709a4c100e42a2f37b
```
### Configuration File
You can use an external configuration file to specify the settings for
this Action.
Start by specifying that you will be using an external configuration
file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
2022-09-22 22:44:17 +00:00
config-file: './.github/dependency-review-config.yml'
```
And then create the file in the path you just specified. **All of these fields are
optional**:
```yaml
2022-09-22 22:44:17 +00:00
fail-on-severity: 'critical'
allow-licenses:
2022-09-22 22:44:17 +00:00
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
### Inline Configuration
You can pass options to the Dependency Review
Action using your workflow file. Here's an example of what the full
file would look like:
2022-06-14 12:24:27 +02:00
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: moderate
2022-06-14 12:24:27 +02:00
# Use comma-separated names to pass list arguments:
deny-licenses: LGPL-2.0, BSD-2-Clause
```
2022-06-14 12:24:27 +02:00
### Vulnerability Severity
By default the action will fail on any pull request that contains a
2022-06-14 12:24:27 +02:00
vulnerable dependency, regardless of the severity level. You can override this behavior by
using the `fail-on-severity` option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: `critical`, `high`, `moderate`, or `low`. The
action defaults to `low`.
2022-06-14 12:24:27 +02:00
This example will only fail on pull requests with `critical` and `high` vulnerabilities:
2022-06-14 12:24:27 +02:00
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: high
```
### Dependency Scoping
2022-09-19 17:57:08 +00:00
By default the action will only fail on `runtime` dependencies that have vulnerabilities or unacceptable licenses, ignoring `development` dependencies. You can override this behavior with the `fail-on-scopes` option, which will allow you to list the specific dependency scopes you care about. The possible values are: `unknown`, `runtime`, and `development`. Note: Filtering by scope will not be supported on Enterprise Server just yet, as the REST API's introduction of `scope` will be released in an upcoming Enterprise Server version. We will treat all dependencies on Enterprise Server as having a `runtime` scope and thus will not be filtered away.
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-scopes: runtime, development
```
2022-06-14 12:24:27 +02:00
### Licenses
You can set the action to fail on pull requests based on the licenses of the dependencies
2022-06-14 12:24:27 +02:00
they introduce. With `allow-licenses` you can define the list of licenses
your repository will accept. Alternatively, you can use `deny-licenses` to only
2022-09-19 17:57:08 +00:00
forbid a subset of licenses. These options are not supported on Enterprise Server.
2022-06-14 12:24:27 +02:00
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
supported licenses. Use the `spdx_id` field for every license you want
to filter. A couple of examples:
```yaml
# only allow MIT-licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
allow-licenses: MIT
```
```yaml
# Block Apache 1.1 and 2.0 licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
deny-licenses: Apache-1.1, Apache-2.0
```
### Considerations
2022-06-14 12:24:27 +02:00
2022-09-19 17:57:08 +00:00
- Checking for licenses is not supported on Enterprise Server.
- The action will only accept one of the two parameters; an error will
be raised if you provide both.
- By default both parameters are empty (no license checking is
performed).
- We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
2022-06-14 22:32:34 -04:00
## Blocking pull requests
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
2022-03-31 18:31:39 +02:00
## Getting help
If you have bug reports, questions or suggestions please [create a new
issue](https://github.com/actions/dependency-review-action/issues/new/choose).
## Contributing
2022-06-14 12:24:27 +02:00
We are grateful for any contributions made to this project.
2022-03-31 18:31:39 +02:00
Please read [CONTRIBUTING.MD](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md) to get started.
## License
2022-03-31 18:31:39 +02:00
This project is released under the [MIT License](https://github.com/actions/dependency-review-action/blob/main/LICENSE).