Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| c94f57ba90 | |||
| 124fafe31e | |||
| 26174d80a2 | |||
| a87338ac8a | |||
| 64f81cd2da | |||
| 0ca1f606a4 | |||
| d416fb5267 | |||
| 81bba5eb54 | |||
| f9daaa3561 | |||
| 60c44a0894 | |||
| 7911825c25 | |||
| ad040f4b88 | |||
| 2876926e7f | |||
| 47a0fcbcd4 | |||
| da507e61ac | |||
| 0034949d8d | |||
| f1706f5a9d | |||
| a569f6fc5c | |||
| fd07d42ce8 | |||
| 77290ae4a1 | |||
| 9411082069 | |||
| 73d8c1b981 |
@@ -1,21 +1,21 @@
|
||||
# dependency-review-action
|
||||
|
||||
This action scans your pull requests for dependency changes, and will
|
||||
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
|
||||
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch.
|
||||
|
||||
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
|
||||
|
||||
You can see the results on the job logs:
|
||||
|
||||
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
|
||||
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
|
||||
|
||||
or on the job summary:
|
||||
|
||||
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
|
||||
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
|
||||
|
||||
## Installation
|
||||
|
||||
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
|
||||
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
|
||||
|
||||
1. Add a new YAML workflow to your `.github/workflows` folder:
|
||||
|
||||
@@ -38,11 +38,11 @@ jobs:
|
||||
|
||||
### GitHub Enterprise Server
|
||||
|
||||
This action is available in Enterprise Server starting with version 3.6. Make sure
|
||||
Make sure
|
||||
[GitHub Advanced
|
||||
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
|
||||
Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
|
||||
and [GitHub
|
||||
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
|
||||
Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
|
||||
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
|
||||
|
||||
You can use the same workflow as above, replacing the `runs-on` value
|
||||
@@ -71,7 +71,7 @@ Configure this action by either inlining these options in your workflow file, or
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
@@ -86,8 +86,6 @@ Configure this action by either inlining these options in your workflow file, or
|
||||
|
||||
\*not supported for use with GitHub Enterprise Server
|
||||
|
||||
†will be supported with GitHub Enterprise Server 3.8
|
||||
|
||||
+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
|
||||
|
||||
### Inline Configuration
|
||||
@@ -157,7 +155,11 @@ For more examples of how to use this action and its configuration options, see t
|
||||
|
||||
## Blocking pull requests
|
||||
|
||||
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
|
||||
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
|
||||
|
||||
## Outputs
|
||||
|
||||
`comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
|
||||
|
||||
## Getting help
|
||||
|
||||
|
||||
@@ -65,6 +65,9 @@ inputs:
|
||||
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
|
||||
required: false
|
||||
default: false
|
||||
outputs:
|
||||
comment-content:
|
||||
description: Prepared dependency report comment
|
||||
|
||||
runs:
|
||||
using: 'node20'
|
||||
|
||||
+695
-232
File diff suppressed because it is too large
Load Diff
+1
-1
File diff suppressed because one or more lines are too long
@@ -164,6 +164,39 @@ jobs:
|
||||
comment-summary-in-pr: always
|
||||
```
|
||||
|
||||
## Getting the results of the action in a later step
|
||||
|
||||
Using the `comment-content` output you can get the results of the action in a workflow step.
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
id: review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
fail-on-severity: critical
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
- name: 'Report'
|
||||
if: always() # make sure this step runs even if the previous failed
|
||||
shell: bash
|
||||
env:
|
||||
comment: ${{ steps.review.outputs.comment-content }}
|
||||
run: |
|
||||
echo "$comment" # do something with the comment
|
||||
```
|
||||
|
||||
## Exclude dependencies from the license check
|
||||
|
||||
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.
|
||||
|
||||
Generated
+8
-8
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.1.0",
|
||||
"version": "4.1.1",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.1.0",
|
||||
"version": "4.1.1",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
@@ -2089,9 +2089,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@types/node": {
|
||||
"version": "20.11.17",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.17.tgz",
|
||||
"integrity": "sha512-QmgQZGWu1Yw9TDyAP9ZzpFJKynYNeOvwMJmaxABfieQoVoiVOS6MN1WSpqpRcbeA5+RW82kraAVxCCJg+780Qw==",
|
||||
"version": "20.11.19",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.19.tgz",
|
||||
"integrity": "sha512-7xMnVEcZFu0DikYjWOlRq7NTPETrm7teqUT2WkQjrTIkEgUyyGdWsj/Zg8bEJt5TNklzbPD1X3fqfsHw3SpapQ==",
|
||||
"dependencies": {
|
||||
"undici-types": "~5.26.4"
|
||||
}
|
||||
@@ -7639,9 +7639,9 @@
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/undici": {
|
||||
"version": "5.27.2",
|
||||
"resolved": "https://registry.npmjs.org/undici/-/undici-5.27.2.tgz",
|
||||
"integrity": "sha512-iS857PdOEy/y3wlM3yRp+6SNQQ6xU0mmZcwRSriqk+et/cwWAtwmIGf6WkoDN2EK/AMdCO/dfXzIwi+rFMrjjQ==",
|
||||
"version": "5.28.3",
|
||||
"resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz",
|
||||
"integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==",
|
||||
"dependencies": {
|
||||
"@fastify/busboy": "^2.0.0"
|
||||
},
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.1.0",
|
||||
"version": "4.1.1",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
|
||||
+18
-2
@@ -3,6 +3,7 @@ import * as core from '@actions/core'
|
||||
import * as githubUtils from '@actions/github/lib/utils'
|
||||
import * as retry from '@octokit/plugin-retry'
|
||||
import {RequestError} from '@octokit/request-error'
|
||||
import {ConfigurationOptions} from './schemas'
|
||||
|
||||
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
|
||||
const octo = new retryingOctokit(
|
||||
@@ -12,7 +13,22 @@ const octo = new retryingOctokit(
|
||||
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
|
||||
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
|
||||
|
||||
export async function commentPr(summary: typeof core.summary): Promise<void> {
|
||||
export async function commentPr(
|
||||
summary: typeof core.summary,
|
||||
config: ConfigurationOptions
|
||||
): Promise<void> {
|
||||
const commentContent = summary.stringify()
|
||||
|
||||
core.setOutput('comment-content', commentContent)
|
||||
|
||||
if (
|
||||
config.comment_summary_in_pr !== 'always' &&
|
||||
config.comment_summary_in_pr === 'on-failure' &&
|
||||
process.exitCode !== core.ExitCode.Failure
|
||||
) {
|
||||
return
|
||||
}
|
||||
|
||||
if (!github.context.payload.pull_request) {
|
||||
core.warning(
|
||||
'Not in the context of a pull request. Skipping comment creation.'
|
||||
@@ -20,7 +36,7 @@ export async function commentPr(summary: typeof core.summary): Promise<void> {
|
||||
return
|
||||
}
|
||||
|
||||
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
|
||||
const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`
|
||||
|
||||
try {
|
||||
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)
|
||||
|
||||
+5
-2
@@ -21,16 +21,19 @@ export function getRefs(
|
||||
if (!base_ref && !head_ref) {
|
||||
throw new Error(
|
||||
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
|
||||
'config options, or by running a `pull_request`/`pull_request_target` workflow.'
|
||||
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
|
||||
'`pull_request`/`pull_request_target` workflow.'
|
||||
)
|
||||
} else if (!base_ref) {
|
||||
throw new Error(
|
||||
'A base ref must be provided, either via the `base_ref` config option, ' +
|
||||
'or by running a `pull_request`/`pull_request_target` workflow.'
|
||||
'`base-ref` workflow action option, or by running a ' +
|
||||
'`pull_request`/`pull_request_target` workflow.'
|
||||
)
|
||||
} else if (!head_ref) {
|
||||
throw new Error(
|
||||
'A head ref must be provided, either via the `head_ref` config option, ' +
|
||||
'`head-ref` workflow action option, or by running a ' +
|
||||
'or by running a `pull_request`/`pull_request_target` workflow.'
|
||||
)
|
||||
}
|
||||
|
||||
+1
-7
@@ -144,13 +144,7 @@ async function run(): Promise<void> {
|
||||
|
||||
summary.addScannedDependencies(changes)
|
||||
printScannedDependencies(changes)
|
||||
if (
|
||||
config.comment_summary_in_pr === 'always' ||
|
||||
(config.comment_summary_in_pr === 'on-failure' &&
|
||||
process.exitCode === core.ExitCode.Failure)
|
||||
) {
|
||||
await commentPr(core.summary)
|
||||
}
|
||||
await commentPr(core.summary, config)
|
||||
} catch (error) {
|
||||
if (error instanceof RequestError && error.status === 404) {
|
||||
core.setFailed(
|
||||
|
||||
Reference in New Issue
Block a user