From d041cfd4c5702ae25e7c793cfc19dd282e8ae6b8 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:17:59 -0500 Subject: [PATCH 1/2] Revise README for workflows and detector options Updated example workflow section and added details about experimental and default-off detectors that are passed into detectorArgs as EnableIfDefaultOff --- README.md | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0e2e394..c9b8d10 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ This GitHub Action runs the [microsoft/component-detection](https://github.com/microsoft/component-detection) library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems. -### Example workflow +### Example workflows ```yaml @@ -25,13 +25,41 @@ jobs: uses: advanced-security/component-detection-dependency-submission-action@v0.1.1 ``` +Additional `Experimental` and `DefaultOff` detectors: + +For a list of experimental and default-off detectors that require explicit enablement, see the [Detectors README](https://github.com/microsoft/component-detection/blob/main/docs/detectors/README.md). See [enable-default-off.md](https://github.com/microsoft/component-detection/blob/main/docs/enable-default-off.md) for more details. + +```yaml +name: Component Detection + +on: + workflow_dispatch: + push: + +permissions: + id-token: write + contents: write + +jobs: + dependency-submission: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Component detection + uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 + with: + # Experimental detectors: Poetry, UvLock, NpmLockfile3, Ivy + # Default-off detectors: ConanLock, CondaLock, Dockerfile, Pip, SimplePip, Spdx22, SwiftResolved + detectorArgs: Poetry=EnableIfDefaultOff,UvLock=EnableIfDefaultOff,NpmLockfile3=EnableIfDefaultOff,Ivy=EnableIfDefaultOff,ConanLock=EnableIfDefaultOff,CondaLock=EnableIfDefaultOff,Dockerfile=EnableIfDefaultOff,Pip=EnableIfDefaultOff,SimplePip=EnableIfDefaultOff,Spdx22=EnableIfDefaultOff,SwiftResolved=EnableIfDefaultOff +``` + ### Configuration options | Parameter | Description | Example | | --- | --- | --- | filePath | The path to the directory containing the environment files to upload. Defaults to Actions working directory. | `'.'` directoryExclusionList | Filters out specific directories following a minimatch pattern. | `test` -detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff` +detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is `Experimental` or `DefaultOff` to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff` dockerImagesToScan |Comma separated list of docker image names or hashes to execute container scanning on | ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab | detectorsFilter | A comma separated list with the identifiers of the specific detectors to be used. | `Pip, RustCrateDetector` detectorsCategories | A comma separated list with the categories of components that are going to be scanned. The detectors that are going to run are the ones that belongs to the categories. | `NuGet,Npm` From d177d7847af12c5fb7070ff32cf33556806bab5a Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:20:14 -0500 Subject: [PATCH 2/2] Update README to remove duplication and version change fix formatting and typo --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c9b8d10..69f6739 100644 --- a/README.md +++ b/README.md @@ -26,8 +26,7 @@ jobs: ``` Additional `Experimental` and `DefaultOff` detectors: - -For a list of experimental and default-off detectors that require explicit enablement, see the [Detectors README](https://github.com/microsoft/component-detection/blob/main/docs/detectors/README.md). See [enable-default-off.md](https://github.com/microsoft/component-detection/blob/main/docs/enable-default-off.md) for more details. +- For a list of experimental and default-off detectors that require explicit enablement, see the [Detectors README](https://github.com/microsoft/component-detection/blob/main/docs/detectors/README.md). See [enable-default-off.md](https://github.com/microsoft/component-detection/blob/main/docs/enable-default-off.md) for more details. ```yaml name: Component Detection @@ -46,7 +45,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Component detection - uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 + uses: advanced-security/component-detection-dependency-submission-action@v0.1.1 with: # Experimental detectors: Poetry, UvLock, NpmLockfile3, Ivy # Default-off detectors: ConanLock, CondaLock, Dockerfile, Pip, SimplePip, Spdx22, SwiftResolved