actions/dependency-review-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
NaN Commits 1 Branch 0 Tags
bccacf97087f335a55937b51333cc2e0b0d7e189
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Federico Builes bccacf9708 Skeleton for license validation.
2022-06-06 20:32:46 +02:00
__tests__
Skeleton for license validation.
2022-06-06 20:32:46 +02:00
.github
Removing old file.
2022-06-01 13:40:09 +02:00
dist
Add severity level to the vulns not found message.
2022-06-01 15:56:16 +02:00
scripts
initial commit
2022-03-31 18:31:39 +02:00
src
Skeleton for license validation.
2022-06-06 20:32:46 +02:00
.eslintignore
initial commit
2022-03-31 18:31:39 +02:00
.eslintrc.json
initial commit
2022-03-31 18:31:39 +02:00
.gitattributes
initial commit
2022-03-31 18:31:39 +02:00
.gitignore
initial commit
2022-03-31 18:31:39 +02:00
.prettierignore
initial commit
2022-03-31 18:31:39 +02:00
.prettierrc.json
initial commit
2022-03-31 18:31:39 +02:00
action.yml
Update action.yml
2022-04-06 16:03:35 -04:00
CODE_OF_CONDUCT.md
initial commit
2022-03-31 18:31:39 +02:00
CODEOWNERS
Updating CODEOWNERS.
2022-04-06 18:29:51 +02:00
CONTRIBUTING.md
Update CONTRIBUTING.md
2022-05-12 10:25:45 +02:00
jest.config.js
initial commit
2022-03-31 18:31:39 +02:00
LICENSE
initial commit
2022-03-31 18:31:39 +02:00
package-lock.json
Merge pull request #91 from actions/adding-config-file
2022-06-06 20:32:21 +02:00
package.json
Merge pull request #91 from actions/adding-config-file
2022-06-06 20:32:21 +02:00
README.md
Updating the README with config instructions.
2022-06-01 13:39:05 +02:00
SECURITY.md
initial commit
2022-03-31 18:31:39 +02:00
tsconfig.json
initial commit
2022-03-31 18:31:39 +02:00

README.md

dependency-review-action

This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions.

The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.

Screen Shot 2022-03-31 at 1 10 51 PM

Installation

  1. Add a new YAML workflow to your .github/workflows folder:
name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v1

Please keep in mind that you need a GitHub Advanced Security license if you're running this Action on private repos.

Configuration

The Dependency Review Action uses a YAML configuration file. It expects this file to be named dependency-review.yml, inside your .github/ directory.

Here's a sample configuration file:

fail_on_severity: low

Here you can see an example of the configuration file we use for this repository.

Severity

By default this Action blocks any pull request that contains a vulnerability of any severity level. You can override this behavior by setting an option in your configuration file:

# choose one of: 'critical', 'high', 'moderate' or 'low'
fail_on_severity: high

Getting help

If you have bug reports, questions or suggestions please create a new issue.

Contributing

We are grateful for any contributions made to this project.

Please read CONTRIBUTING.MD to get started.

License

This project is released under the MIT License.

Description
Mirror of github.com/actions/dependency-review-action
Readme 51 MiB
Languages
TypeScript 98.2%
Ruby 1.7%
JavaScript 0.1%