2022-03-31 18:31:39 +02:00
# dependency-review-action
2022-08-18 14:56:08 +02:00
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint ](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review ) that diffs the dependencies between any two revisions.
2022-04-06 16:00:03 -04:00
2022-06-15 09:32:17 -04:00
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
2022-03-31 18:31:39 +02:00
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
## Installation
2022-08-03 17:27:39 +02:00
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
2022-08-03 11:22:48 +02:00
2022-03-31 18:31:39 +02:00
1. Add a new YAML workflow to your `.github/workflows` folder:
```yaml
name : 'Dependency Review'
on : [ pull_request]
permissions :
contents : read
jobs :
dependency-review :
runs-on : ubuntu-latest
steps :
- name : 'Checkout Repository'
uses : actions/checkout@v3
- name : 'Dependency Review'
2022-06-14 12:16:03 -04:00
uses : actions/dependency-review-action@v2
2022-03-31 18:31:39 +02:00
```
2022-08-03 11:22:48 +02:00
### GitHub Enterprise Server
This action is available in GHES starting with version 3.6. Make sure
[GitHub Advanced
Security ](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise )
and [GitHub
2022-08-03 11:29:50 +02:00
Connect ](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect )
2022-08-03 11:22:48 +02:00
are enabled.
You can use the same workflow as above, replacing the `runs-on` value
with the label of any of your runners (the default label
is `self-hosted` ):
```yaml
# ...
jobs :
dependency-review :
runs-on : self-hosted
steps :
- name : 'Checkout Repository'
uses : actions/checkout@v3
- name : 'Dependency Review'
uses : actions/dependency-review-action@v2
```
2022-05-13 08:11:58 +02:00
2022-06-14 12:24:27 +02:00
## Configuration
2022-07-21 15:47:05 -04:00
2022-06-14 12:16:03 -04:00
You can pass additional options to the Dependency Review
2022-06-14 12:27:56 +02:00
Action using your workflow file. Here's an example workflow with
all the possible configurations:
2022-06-14 12:24:27 +02:00
```yaml
name : 'Dependency Review'
on : [ pull_request]
permissions :
contents : read
jobs :
dependency-review :
runs-on : ubuntu-latest
steps :
- name : 'Checkout Repository'
uses : actions/checkout@v3
- name : Dependency Review
uses : actions/dependency-review-action@v2
with :
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
2022-07-21 15:47:05 -04:00
# Possible values: Any available git ref
# base-ref: ${{ github.event.pull_request.base.ref }}
# head-ref: ${{ github.event.pull_request.head.ref }}
#
2022-08-03 10:46:47 -04:00
# You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on GHES.
2022-06-14 12:24:27 +02:00
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
#
2022-06-14 12:16:03 -04:00
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
2022-06-14 12:24:27 +02:00
# deny-licenses: LGPL-2.0, BSD-2-Clause
```
2022-07-21 15:47:05 -04:00
When the workflow with this action is caused by a `pull_request` or `pull_request_target` event,
2022-08-18 14:56:08 +02:00
the `base-ref` and `head-ref` values have the defaults as shown above. If the workflow is caused by
any other event, the `base-ref` and `head-ref` options must be
explicitly set in the configuration file.
2022-07-21 15:47:05 -04:00
2022-06-14 12:24:27 +02:00
### Vulnerability Severity
2022-06-14 12:16:03 -04:00
By default the action will fail on any pull request that contains a
2022-06-14 12:24:27 +02:00
vulnerable dependency, regardless of the severity level. You can override this behavior by
2022-06-14 12:16:03 -04:00
using the `fail-on-severity` option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: `critical` , `high` , `moderate` , or `low` . The
action defaults to `low` .
2022-06-14 12:24:27 +02:00
2022-06-14 12:16:03 -04:00
This example will only fail on pull requests with `critical` and `high` vulnerabilities:
2022-06-14 12:24:27 +02:00
```yaml
- name : Dependency Review
uses : actions/dependency-review-action@v2
with :
fail-on-severity : high
```
### Licenses
2022-06-14 12:16:03 -04:00
You can set the action to fail on pull requests based on the licenses of the dependencies
2022-06-14 12:24:27 +02:00
they introduce. With `allow-licenses` you can define the list of licenses
2022-06-14 12:16:03 -04:00
your repository will accept. Alternatively, you can use `deny-licenses` to only
2022-08-03 10:46:47 -04:00
forbid a subset of licenses. These options are not supported on GHES.
2022-06-14 12:24:27 +02:00
You can use the [Licenses
API ](https://docs.github.com/en/rest/licenses ) to see the full list of
supported licenses. Use the `spdx_id` field for every license you want
to filter. A couple of examples:
```yaml
# only allow MIT-licensed dependents
- name : Dependency Review
uses : actions/dependency-review-action@v2
with :
allow-licenses : MIT
```
```yaml
# Block Apache 1.1 and 2.0 licensed dependents
- name : Dependency Review
uses : actions/dependency-review-action@v2
with :
deny-licenses : Apache-1.1, Apache-2.0
```
**Important**
2022-08-18 14:56:08 +02:00
<<<<<<< HEAD
2022-07-21 15:47:05 -04:00
- The action will only accept one of the two parameters; an error will
be raised if you provide both.
- By default both parameters are empty (no license checking is
performed).
- We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
2022-08-18 14:56:08 +02:00
=======
2022-08-03 10:46:47 -04:00
* Checking for licenses is not supported on GHES.
2022-06-14 12:16:03 -04:00
* The action will only accept one of the two parameters; an error will
2022-06-14 12:24:27 +02:00
be raised if you provide both.
* By default both parameters are empty (no license checking is
performed).
2022-06-14 14:11:01 +02:00
* We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
2022-08-18 14:56:08 +02:00
>>>>>>> main
2022-06-14 14:11:01 +02:00
2022-06-14 22:32:34 -04:00
## Blocking pull requests
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches ](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging ).
2022-03-31 18:31:39 +02:00
## Getting help
If you have bug reports, questions or suggestions please [create a new
issue ](https://github.com/actions/dependency-review-action/issues/new/choose ).
## Contributing
2022-06-14 12:24:27 +02:00
We are grateful for any contributions made to this project.
2022-03-31 18:31:39 +02:00
Please read [CONTRIBUTING.MD ](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md ) to get started.
## License
2022-07-21 15:47:05 -04:00
2022-03-31 18:31:39 +02:00
This project is released under the [MIT License ](https://github.com/actions/dependency-review-action/blob/main/LICENSE ).