• Stars
    star
    598
  • Rank 74,853 (Top 2 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created over 2 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs

dependency-review-action

This action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an API endpoint that diffs the dependencies between any two revisions on your default branch.

The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.

You can see the results on the job logs:

Screen Shot 2022-03-31 at 1 10 51 PM

or on the job summary:

Installation

Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repositories.

  1. Add a new YAML workflow to your .github/workflows folder:
name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v3

GitHub Enterprise Server

This action is available in Enterprise Server starting with version 3.6. Make sure GitHub Advanced Security and GitHub Connect are enabled.

You can use the same workflow as above, replacing the runs-on value with the label of any of your runners (the default label is self-hosted):

# ...

jobs:
  dependency-review:
    runs-on: self-hosted
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v3

Configuration options

Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.

Option Usage Possible values Default value
fail-on-severity Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. low, moderate, high, critical low
allow-licenses* Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. Any SPDX-compliant identifier(s) none
deny-licenses* Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. Any SPDX-compliant identifier(s) none
fail-on-scopes† Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. runtime, development, unknown runtime
allow-ghsas Contains a list of GitHub Advisory Database IDs that can be skipped during detection. Any GHSAs from the GitHub Advisory Database none
license-check Enable or disable the license check performed by the action. true, false true
vulnerability-check Enable or disable the vulnerability check performed by the action. true, false true
allow-dependencies-licenses* Contains a list of packages that will be excluded from license checks. Any package(s) in purl format none
base-ref/head-ref Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than pull_request and pull_request_target. Any valid git ref(s) in your project none
comment-summary-in-pr Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission pull-requests: write. true, false false

*not supported for use with GitHub Enterprise Server

†will be supported with GitHub Enterprise Server 3.8

Inline Configuration

You can pass options to the Dependency Review GitHub Action using your workflow file.

Example

name: 'Dependency Review'
on: [pull_request]
permissions:
  contents: read
jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: Dependency Review
        uses: actions/dependency-review-action@v3
        with:
          fail-on-severity: moderate

          # Use comma-separated names to pass list arguments:
          deny-licenses: LGPL-2.0, BSD-2-Clause

Configuration File

You can use an external configuration file to specify the settings for this action. It can be a local file or a file in an external repository. Refer to the following options for the specification.

Option Usage Possible values
config-file A path to a file in the current repository or an external repository. Use this syntax for external files: OWNER/REPOSITORY/FILENAME@BRANCH Local file: ./.github/dependency-review-config.yml
External repo: github/octorepo/dependency-review-config.yml@main
external-repo-token Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in developer settings. Any token with read permissions to the repository hosting the config file.

Example

Start by specifying that you will be using an external configuration file:

- name: Dependency Review
  uses: actions/dependency-review-action@v2
  with:
    config-file: './.github/dependency-review-config.yml'

And then create the file in the path you just specified. Please note that the option names in external files use underscores instead of dashes:

fail_on_severity: 'critical'
allow_licenses:
  - 'GPL-3.0'
  - 'BSD-3-Clause'
  - 'MIT'

For more examples of how to use this action and its configuration options, see the examples page.

Considerations

  • Checking for licenses is not supported on Enterprise Server.
  • The action will only accept one of the two license parameters; an error will be raised if you provide both.
  • We don't have license information for all of your dependents. If we can't detect the license for a dependency we will inform you, but the action won't fail.

Blocking pull requests

The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the documentation on protected branches.

Getting help

If you have bug reports, questions or suggestions please create a new issue.

Contributing

We are grateful for any contributions made to this project. Please read CONTRIBUTING.MD to get started.

License

This project is released under the MIT License.

More Repositories

1

runner-images

GitHub Actions runner images
PowerShell
9,683
star
2

starter-workflows

Accelerating new GitHub Actions workflows
TypeScript
8,687
star
3

toolkit

The GitHub ToolKit for developing GitHub Actions.
TypeScript
4,974
star
4

runner

The Runner for GitHub Actions 🚀
C#
4,825
star
5

checkout

Action for checking out a repo
TypeScript
4,634
star
6

actions-runner-controller

Kubernetes controller for GitHub Actions self-hosted runners
Go
4,595
star
7

cache

Cache dependencies and build outputs in GitHub Actions
TypeScript
4,511
star
8

github-script

Write workflows scripting the GitHub API in JavaScript
TypeScript
4,184
star
9

setup-node

Set up your GitHub Actions workflow with a specific version of node.js
TypeScript
3,895
star
10

upload-artifact

TypeScript
3,162
star
11

typescript-action

Create a TypeScript Action with tests, linting, workflow, publishing, and versioning
TypeScript
2,001
star
12

labeler

An action for automatically labelling pull requests
TypeScript
1,941
star
13

setup-python

Set up your GitHub Actions workflow with a specific version of Python
TypeScript
1,702
star
14

setup-java

Set up your GitHub Actions workflow with a specific version of Java
TypeScript
1,517
star
15

setup-go

Set up your GitHub Actions workflow with a specific version of Go
TypeScript
1,391
star
16

stale

Marks issues and pull requests that have not had recent interaction
TypeScript
1,345
star
17

download-artifact

TypeScript
1,338
star
18

create-release

An Action to create releases via the GitHub Release API
JavaScript
1,333
star
19

javascript-action

Create a JavaScript Action with tests, linting, workflow, publishing, and versioning
JavaScript
966
star
20

setup-dotnet

Set up your GitHub Actions workflow with a specific version of the .NET core sdk
TypeScript
932
star
21

upload-release-asset

An Action to upload a release asset via the GitHub Release API
JavaScript
660
star
22

first-interaction

An action for filtering pull requests and issues from first-time contributors
JavaScript
648
star
23

deploy-pages

GitHub Action to publish artifacts to GitHub Pages for deployments
JavaScript
555
star
24

add-to-project

Automate adding issues and pull requests to GitHub projects
TypeScript
455
star
25

delete-package-versions

TypeScript
345
star
26

gh-actions-cache

A GitHub (gh) CLI extension to manage the GitHub Actions caches being used in a GitHub repository.
Go
257
star
27

example-services

Example workflows using service containers
JavaScript
248
star
28

hello-world-javascript-action

A template to demonstrate how to build a JavaScript action.
JavaScript
230
star
29

container-action

Shell
185
star
30

heroku

GitHub Action for interacting with Heroku
HCL
179
star
31

setup-ruby

Set up your GitHub Actions workflow with a specific version of Ruby
TypeScript
173
star
32

upload-pages-artifact

A composite action for packaging and uploading an artifact that can be deployed to GitHub Pages.
Shell
171
star
33

hello-world-docker-action

A template to demonstrate how to build a Docker action.
Shell
162
star
34

setup-elixir

Set up your GitHub Actions workflow with OTP and Elixir
JavaScript
154
star
35

python-versions

Python builds for Actions Runner Images
PowerShell
148
star
36

container-toolkit-action

Template repo for creating container actions using https://github.com/actions/toolkit/
TypeScript
115
star
37

github

Wraps actions-toolkit into an Action for common GitHub automations.
JavaScript
103
star
38

actions-sync

This tool allows GHES administrators to sync Actions to their instances
Go
93
star
39

configure-pages

An action to enable Pages and extract various metadata about a site. It can also be used to configure various static site generators we support as starter workflows.
JavaScript
91
star
40

create-github-app-token

GitHub Action for creating a GitHub App Installation Access Token
JavaScript
86
star
41

http-client

A lightweight HTTP client optimized for use with actions, TypeScript with generics and async await.
TypeScript
72
star
42

setup-haskell

Set up your GitHub Actions workflow with a specific version of Haskell (GHC and Cabal)
TypeScript
71
star
43

node-versions

Node builds for Actions Runner Images
PowerShell
69
star
44

languageservices

Language services for GitHub Actions workflows and expressions.
TypeScript
67
star
45

jekyll-build-pages

A simple GitHub Action for producing Jekyll build artifacts compatible with GitHub Pages.
HTML
66
star
46

importer-labs

GitHub Actions Importer helps you plan and automate the migration of Azure DevOps, Bamboo, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.
Ruby
65
star
47

runner-container-hooks

Runner Container Hooks for GitHub Actions
TypeScript
58
star
48

partner-runner-images

About GitHub Actions runner images provided by 3rd parties
54
star
49

go-dependency-submission

Calculates dependencies for a Go build-target and submits the list to the Dependency Submission API
TypeScript
53
star
50

importer-issue-ops

GitHub Actions Importer helps you plan and automate the migration of Azure DevOps, Bamboo, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.
Ruby
49
star
51

publish-action

TypeScript
39
star
52

go-versions

Go releases for Actions Runner Images
PowerShell
39
star
53

reusable-workflows

Reusable workflows for developing actions
JavaScript
38
star
54

.github

30
star
55

humans.txt

An Action to list out the humans who help feed and tend the robots of GitHub Actions.
JavaScript
29
star
56

versions-package-tools

Libs and tools used to build all *-version tools for GitHub Actions
PowerShell
20
star
57

publish-immutable-action

A GitHub Action used for publishing an Action to ghcr.io as an OCI container.
TypeScript
20
star
58

virtual-environments-packages

Code and scripts used to automate delivery of tool packages used in virtual-environments.
17
star
59

action-versions

Shell
17
star
60

boost-versions

Boost builds for Actions Virtual Environments
PowerShell
5
star
61

alpine_nodejs

Workflow for redistribution of Node.JS for actions/runner
Dockerfile
5
star
62

anno-test

1
star