This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions.
The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.
- Add a new YAML workflow to your
.github/workflowsfolder:
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.
You can pass additional options to the Dependency Review Action using your workflow file. Here's an example workflow with all the possible configurations:
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# You can only can only include one of these two options: `allow-licenses` and `deny-licences`
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# deny-licenses: LGPL-2.0, BSD-2-ClauseBy default the action will fail on any pull request that contains a
vulnerable dependency, regardless of the severity level. You can override this behavior by
using the fail-on-severity option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: critical, high, moderate, or low. The
action defaults to low.
This example will only fail on pull requests with critical and high vulnerabilities:
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: highYou can set the action to fail on pull requests based on the licenses of the dependencies
they introduce. With allow-licenses you can define the list of licenses
your repository will accept. Alternatively, you can use deny-licenses to only
forbid a subset of licenses.
You can use the Licenses
API to see the full list of
supported licenses. Use the spdx_id field for every license you want
to filter. A couple of examples:
# only allow MIT-licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
allow-licenses: MIT# Block Apache 1.1 and 2.0 licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
deny-licenses: Apache-1.1, Apache-2.0Important
- The action will only accept one of the two parameters; an error will be raised if you provide both.
- By default both parameters are empty (no license checking is performed).
- We don't have license information for all of your dependents. If we can't detect the license for a dependency we will inform you, but the action won't fail.
If you have bug reports, questions or suggestions please create a new issue.
We are grateful for any contributions made to this project.
Please read CONTRIBUTING.MD to get started.
This project is released under the MIT License.