{"id":13717332,"url":"https://github.com/phylum-dev/phylum-analyze-pr-action","last_synced_at":"2025-12-29T02:58:02.967Z","repository":{"id":37597646,"uuid":"441268530","full_name":"phylum-dev/phylum-analyze-pr-action","owner":"phylum-dev","description":"GitHub Action to analyze Pull Requests for open-source supply chain issues","archived":false,"fork":false,"pushed_at":"2025-01-14T16:52:20.000Z","size":183,"stargazers_count":15,"open_issues_count":0,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-02-16T02:46:45.492Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/phylum-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-23T18:46:30.000Z","updated_at":"2025-01-14T16:52:22.000Z","dependencies_parsed_at":"2023-11-14T23:29:46.665Z","dependency_job_id":"4b1aaa54-9193-4ea0-bdd2-a5190fc0ac87","html_url":"https://github.com/phylum-dev/phylum-analyze-pr-action","commit_stats":{"total_commits":87,"total_committers":4,"mean_commits":21.75,"dds":"0.13793103448275867","last_synced_commit":"53d203dd18c41350a673bcc236aa05337eb6edf3"},"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fphylum-analyze-pr-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fphylum-analyze-pr-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fphylum-analyze-pr-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fphylum-analyze-pr-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/phylum-dev","download_url":"https://codeload.github.com/phylum-dev/phylum-analyze-pr-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243418614,"owners_count":20287798,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T00:01:20.876Z","updated_at":"2025-12-29T02:58:02.961Z","avatar_url":"https://github.com/phylum-dev.png","language":null,"funding_links":[],"categories":["Dependency intelligence"],"sub_categories":["SCA and SBOM"],"readme":"# Phylum Analyze PR action\n\n[![GitHub](https://img.shields.io/github/license/phylum-dev/phylum-analyze-pr-action)][license]\n[![GitHub issues](https://img.shields.io/github/issues/phylum-dev/phylum-analyze-pr-action)][issues]\n![GitHub last commit](https://img.shields.io/github/last-commit/phylum-dev/phylum-analyze-pr-action)\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)][CoC]\n\nA GitHub Action to analyze dependencies with Phylum to protect your code against increasingly sophisticated attacks and get peace of mind to focus on your work.\n\n[license]: https://github.com/phylum-dev/phylum-analyze-pr-action/blob/main/LICENSE\n[issues]: https://github.com/phylum-dev/phylum-analyze-pr-action/issues\n[CoC]: https://github.com/phylum-dev/phylum-analyze-pr-action/blob/main/CODE_OF_CONDUCT.md\n\n## Overview\n\nPhylum provides a complete risk analyis of \"open-source packages\" (read: untrusted software from random Internet\nstrangers). Phylum evolved forward from legacy SCA tools to defend from supply-chain malware, malicious open-source\nauthors, and engineering risk, in addition to software vulnerabilities and license risks. To learn more, please see\n[our website](https://phylum.io).\n\nOnce configured for a repository, this action will provide analysis of project dependencies from lockfiles or manifests\nduring a Pull Request (PR) and output the results as a comment on the PR unless the option to skip comments is provided.\nThe CI job will return an error (i.e., fail the build) if any of the newly added/modified dependencies from the PR fail\nto meet the established policy unless audit mode is specified.\n\nThere will be no comment if no dependencies were added or modified for a given PR.\nThere will be no comment when the results of the analysis are successful.\nIf one or more dependencies are still processing (no results available), then the comment will make that clear and the\nCI job will only fail if dependencies that have _completed analysis results_ do not meet the active policy.\n\n## Prerequisites\n\nThe GitHub Actions environment is primarily supported through the use of a Docker image.\nThe prerequisites for using this image are:\n\n* Ability to run a [Docker container action][container]\n  * GitHub-hosted runners must use an Ubuntu runner\n  * Self-hosted runners must use a Linux operating system and have Docker installed\n* Access to the `phylum-dev/phylum-ci` Docker image from the [GitHub Container Registry][package]\n* A [GitHub token][gh_token] with API access\n  * Not required when comment generation has been skipped\n  * Can be the default `GITHUB_TOKEN` provided automatically at the start of each workflow run\n    * Needs at least write access for `pull-requests` scope - see [documentation][scopes]\n  * Can be a personal access token (PAT) - see [documentation][PAT]\n    * Needs the `repo` scope or minimally the `public_repo` scope if private repositories are not used\n* A [Phylum token][phylum_tokens] with API access\n  * [Contact Phylum][phylum_contact] or [register][app_register] to gain access\n    * See also [`phylum auth register`][phylum_register] command documentation\n  * Consider using a bot or group account for this token\n  * Forked repos require the `pull_request_target` event, to allow secret access\n* Access to the Phylum API endpoints\n  * That usually means a connection to the internet, optionally via a proxy\n  * Support for on-premises installs are not available at this time\n\n[container]: https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action\n[package]: https://github.com/phylum-dev/phylum-ci/pkgs/container/phylum-ci\n[gh_token]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication\n[scopes]: https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes\n[PAT]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[phylum_contact]: https://phylum.io/contact-us\n[app_register]: https://app.phylum.io/register\n[phylum_tokens]: https://docs.phylum.io/knowledge_base/api-keys\n[phylum_register]: https://docs.phylum.io/cli/commands/phylum_auth_register\n\n## Supported Dependency Files\n\nIf not explicitly specified, an attempt will be made to automatically detect dependency files. These include both\nlockfiles and manifests. The basic difference is that manifests are where top-level dependencies are specified in their\nloose form while lockfiles contain the completely resolved collection of the abstract declarations from a manifest.\n\nSome dependency file types (e.g., Python/pip `requirements.txt`) are ambiguous in that they can be named differently\nand may or may not contain strict dependencies. That is, they can be either a lockfile or a manifest. We call these\n\"[lockifests].\" Some dependency files fail to parse as the expected lockfile type (e.g., `pip` instead of `poetry` for\n`pyproject.toml` manifests).\n\nFor these situations, the recommendation is to specify the path and lockfile type explicitly in a\n[`.phylum_project` file] at the root of the project repository. The easiest way to do that is with the Phylum CLI,\nusing the [`phylum init` command][phylum_init] and committing the generated `.phylum_project` file.\n\nThe Phylum Knowledge Base contains the list of currently [supported lockfiles][supported_lockfiles]. It is also where\ninformation on [lockfile generation][lockfile_generation] can be found for current manifest file support.\n\n[lockifests]: https://docs.phylum.io/cli/lockfile_generation#lockifests\n[`.phylum_project` file]: https://docs.phylum.io/knowledge_base/phylum_project_files\n[phylum_init]: https://docs.phylum.io/cli/commands/phylum_init\n[supported_lockfiles]: https://docs.phylum.io/cli/supported_lockfiles\n[lockfile_generation]: https://docs.phylum.io/cli/lockfile_generation\n\n## Getting Started\n\nPhylum analysis of dependencies can be added to existing CI workflows or on its own with this minimal configuration:\n\n```yaml\nname: Phylum_analyze\non: pull_request\njobs:\n  analyze_deps:\n    name: Analyze dependencies with Phylum\n    permissions:\n      contents: read\n      pull-requests: write\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout the repo\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n      - name: Analyze dependencies\n        uses: phylum-dev/phylum-analyze-pr-action@v2\n        with:\n          phylum_token: ${{ secrets.PHYLUM_TOKEN }}\n```\n\nThis configuration contains a single job, with two steps, that will only run on pull request events.\nIt provides debug output but otherwise does not override any of the `phylum-ci` arguments, which are all either\noptional or default to secure values. Let's take a deeper dive into each part of the configuration:\n\n### Workflow and Job names\n\nThe workflow and job names can be named differently or included in existing workflows/jobs.\n\n```yaml\nname: Phylum_analyze                        # Name the workflow what you like\non: pull_request\njobs:\n  analyze_deps:                             # Name the job what you like\n    name: Analyze dependencies with Phylum  # This name is optional (defaults to job name)\n```\n\n### Workflow trigger\n\nThe Phylum Analyze PR action expects to be run in the context of a [`pull_request` webhook event][pr_hook].\nThis includes both [`pull_request`][pr] and [`pull_request_target`][prt] events.\n\n[pr_hook]: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request\n[pr]: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request\n[prt]: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target\n\n```yaml\n# NOTE: These are examples. Only one definition for `on` is expected.\n\n# Specify the `pull_request` event trigger on one line\non: pull_request\n\n# Alternative to specify `pull_request` trigger (e.g., when other triggers are present)\non:\n  pull_request:\n\n# Specify specific branches for the `pull_request` trigger to target\non:\n  pull_request:\n    branches:\n      - main\n      - develop\n```\n\nAllowing pull requests from forked repositories requires using the `pull_request_target` event since the Phylum API\nkey is stored as a secret and the `pull_request` event does not provide access to secrets when the PR comes from a\nfork.\n\n```yaml\non:\n  pull_request:\n  # Allow PRs from forked repos to access secrets, like the Phylum API key\n  pull_request_target:\n```\n\n\u003e ⚠️ **WARNING** ⚠️\n\u003e\n\u003e Using the `pull_request_target` event for forked repositories requires additional configuration when\n\u003e [checking out the repo](#checking-out-the-repository). Be aware that such a configuration has security implications\n\u003e if done improperly. Attackers may be able to obtain repository write permissions or steal repository secrets.\n\u003e Please take the time to understand and mitigate the risks:\n\u003e\n\u003e * GitHub Security Lab: [\"Preventing pwn requests\"][gh_pwn]\n\u003e * GitGuardian: [\"GitHub Actions Security Best Practices\"][gha_security]\n\u003e\n\u003e Minimal suggestions include:\n\u003e\n\u003e * Use a separate workflow for the Phylum Analyze PR action\n\u003e * Do not provide access to any secrets beyond the Phylum API key\n\u003e * Limit the steps in the job to two: checking out the PR's code and using the Phylum action\n\n[gh_pwn]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/\n[gha_security]: https://blog.gitguardian.com/github-actions-security-cheat-sheet/\n\n### Permissions\n\nWhen using the default `GITHUB_TOKEN` provided automatically at the start of each workflow run, it is good practice to\nensure the actions used in the workflow are given the least privileges needed to perform their intended function.\nThe Phylum Analyze PR actions needs at least write access for the `pull-requests` scope.\nThe `actions/checkout` action needs at least read access for the `contents` scope.\nSee the [GitHub documentation][scopes] for more info.\n\n```yaml\n    permissions:                # Ensure least privilege of actions\n      contents: read            # For actions/checkout\n      pull-requests: write      # For phylum-dev/phylum-analyze-pr-action\n```\n\nWhen using a personal access token (PAT) instead, the token should be created with the `repo` scope or\nminimally with the `public_repo` scope if private repositories will not be used with the PAT.\nSee the [GitHub documentation][PAT] for more info.\n\n```yaml\n    permissions:                # Ensure least privilege of actions\n      contents: read            # For actions/checkout\n      # The phylum-dev/phylum-analyze-pr-action does not\n      # need the `pull-requests` scope here if using a PAT\n```\n\n### Specifying a Runner\n\nThe Phylum Analyze PR action is a [Docker container action][container].\nThis requires that [GitHub-hosted runners][runners] use an Ubuntu runner.\nSelf-hosted runners must use a Linux operating system and have Docker installed.\n\n[runners]: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners\n\n```yaml\n    runs-on: ubuntu-latest\n```\n\n### Checking out the Repository\n\n`git` is used within the `phylum-ci` package to do things like determine if there was a dependency file change and,\nwhen specified, report on new dependencies only. Therefore, a clone of the repository is required to ensure that\nthe local working copy is always pristine and history is available to pull the requested information.\n\n```yaml\n    steps:\n      - name: Checkout the repo\n        uses: actions/checkout@v4\n        with:\n          # Specifying a depth of 0 ensures all history for all branches.\n          # This input may not be required when `--all-deps` option is used.\n          fetch-depth: 0\n```\n\nAllowing pull requests from forked repositories [requires using the `pull_request_target` event](#workflow-trigger)\nand checking out the head of the forked repository:\n\n```yaml\n    steps:\n      - name: Checkout the repo\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n          # Specifying the head of the forked repository's PR branch\n          # is required to get any proposed dependency file changes.\n          ref: ${{ github.event.pull_request.head.sha }}\n```\n\n\u003e ⚠️ **WARNING** ⚠️\n\u003e\n\u003e Using the `pull_request_target` event for forked repositories and checking out the pull request's code has security\n\u003e implications if done improperly. Attackers may be able to obtain repository write permissions or steal repository\n\u003e secrets. Please take the time to understand and mitigate the risks:\n\u003e\n\u003e * GitHub Security Lab: [\"Preventing pwn requests\"][gh_pwn]\n\u003e * GitGuardian: [\"GitHub Actions Security Best Practices\"][gha_security]\n\u003e\n\u003e Minimal suggestions include:\n\u003e\n\u003e * Use a separate workflow for the Phylum Analyze PR action\n\u003e * Do not provide access to any secrets beyond the Phylum API key\n\u003e * Limit the steps in the job to two: checking out the PR's code and using the Phylum action\n\n### Action Inputs\n\nThe action inputs are used to ensure the `phylum-ci` tool is able to perform its job.\n\nA [Phylum token][phylum_tokens] with API access is required to perform analysis on project dependencies.\n[Contact Phylum][phylum_contact] or [register][app_register] to gain access.\nSee also [`phylum auth register`][phylum_register] command documentation and consider\nusing a bot or group account for this token.\n\nA [GitHub token][gh_token] with API access is required to use the API (e.g., to post comments).\nIt is not required when comment generation has been skipped (e.g., when in audit mode).\nThis can be the default `GITHUB_TOKEN` provided automatically at the start of each workflow run but it will need at\nleast write access for the `pull-requests` scope (see [documentation][scopes]).\nAlternatively, it can be a [personal access token (PAT)][PAT] with the `repo` scope or minimally the `public_repo`\nscope, if private repositories are not used.\n\nThe values for the `phylum_token` and `github_token` action inputs can come from repository, environment, or\norganizational [encrypted secrets][encrypted_secrets].\nSince they are sensitive, **care should be taken to protect them appropriately**.\n\nThe `cmd` arguments to the Docker image are the way to exert control over the execution of the Phylum analysis. The\n`phylum-ci` script entry point is expected to be called. It has a number of arguments that are all optional and\ndefaulted to secure values. To view the arguments, their description, and default values, run the script with `--help`\noutput as specified in the [Usage section of the `phylum-dev/phylum-ci` repository's README][usage] or more simply\nview the [script options output][script_options] for the latest release.\n\n[encrypted_secrets]: https://docs.github.com/en/actions/security-guides/encrypted-secrets\n[usage]: https://github.com/phylum-dev/phylum-ci#usage\n[script_options]: https://github.com/phylum-dev/phylum-ci/blob/main/docs/script_options.md\n\n```yaml\n    steps:\n      - name: Analyze dependencies\n        uses: phylum-dev/phylum-analyze-pr-action@v2\n        with:\n          # Contact Phylum (phylum.io/contact-us) or register (app.phylum.io/register)\n          # to gain access. Consider using a bot or group account for this token. See:\n          # https://docs.phylum.io/knowledge_base/api-keys\n          phylum_token: ${{ secrets.PHYLUM_TOKEN }}\n\n          # NOTE: These are examples. Specify at most one `github_token` entry line.\n          #\n          # Use the default `GITHUB_TOKEN` provided automatically at the start\n          # of each workflow run. This entry is optional since it is the default.\n          github_token: ${{ secrets.GITHUB_TOKEN }}\n          # Use a personal access token (PAT)\n          github_token: ${{ secrets.GITHUB_PAT }}\n\n          # NOTE: These are examples. Only one `cmd` entry line is expected.\n          #\n          # Use the defaults for all the arguments and provide debug level output.\n          # The default behavior is to only analyze newly added dependencies\n          # against the active policy set at the Phylum project level.\n          # This entry does not have to be specified since it is the default.\n          cmd: phylum-ci -vv\n          # Same as the previous entry, but without debug level output.\n          cmd: phylum-ci\n          # Consider all dependencies in analysis results instead of just the\n          # newly added ones. The default is to only analyze newly added\n          # dependencies, which can be useful for existing code bases that may\n          # not meet established policy rules yet, but don't want to make things\n          # worse. Specifying `--all-deps` can be useful for casting the widest\n          # net for strict adherence to Quality Assurance (QA) standards.\n          cmd: phylum-ci --all-deps\n          # Force analysis for all dependencies in a manifest file.\n          # This is especially useful for *workspace* manifest files where\n          # there is no companion lockfile (e.g., libraries).\n          cmd: phylum-ci --force-analysis --all-deps --depfile Cargo.toml\n          # Some lockfile types (e.g., Python/pip `requirements.txt`) are ambiguous\n          # in that they can be named differently and may or may not contain strict\n          # dependencies. In these cases it is best to specify an explicit path,\n          # either with the `--depfile` option or in a `.phylum_project` file:\n          # https://docs.phylum.io/knowledge_base/phylum_project_files\n          # The easiest way to do that is with the Phylum CLI, using the\n          # `phylum init` (https://docs.phylum.io/cli/commands/phylum_init) command\n          # and committing the generated `.phylum_project` file.\n          cmd: phylum-ci --depfile requirements-prod.txt\n          # Specify multiple explicit dependency file paths.\n          cmd: phylum-ci --depfile requirements-prod.txt path/to/dependency.file\n          # Exclude dependency files by gitignore-style pattern.\n          cmd: phylum-ci --exclude \"requirements-*.txt\"\n          # Specify multiple exclusion patterns.\n          cmd: phylum-ci --exclude \"build.gradle\" \"tests/fixtures/\"\n          cmd: |\n            phylum-ci \\\n              --exclude \"/requirements-*.txt\" \\\n              --exclude \"build.gradle\" \"fixtures/\"\n          # Perform analysis as part of an organization and/or group-owned project.\n          # When an org is specified, a group name must also be specified.\n          cmd: phylum-ci --org my_org --group my_group\n          cmd: phylum-ci --group my_group\n          # Analyze all dependencies in audit mode,\n          # to gain insight without failing builds.\n          cmd: phylum-ci --all-deps --audit\n          # Install a specific version of the Phylum CLI.\n          cmd: phylum-ci --phylum-release 6.5.0 --force-install\n          # Mix and match for your specific use case.\n          cmd: |\n            phylum-ci \\\n              -vv \\\n              --org my_org \\\n              --group my_group \\\n              --depfile requirements-dev.txt \\\n              --depfile requirements-prod.txt path/to/dependency.file \\\n              --depfile Cargo.toml \\\n              --force-analysis \\\n              --all-deps\n```\n\n### Exit Codes\n\nThe Phylum Analyze PR action will return a zero (0) exit code when it completes successfully and a non-zero code\notherwise. The full and current list of exit codes is [documented here][exit_codes] and \"Output Modification\"\n[options exist][script_options] to be strict or loose with setting them.\n\n[exit_codes]: https://github.com/phylum-dev/phylum-ci#exit-codes\n\n## Example Comments\n\n\u003e **NOTE:** Comments will not be shown when in audit mode or when comments are explicitly skipped.\n\u003e Analysis output will still be available in the logs.\n\n---\n\nPhylum OSS Supply Chain Risk Analysis - FAILED\n\n![image](https://user-images.githubusercontent.com/18729796/232164049-0e394d1f-f709-403f-a12c-2fe26adfbb37.png)\n\n---\n\nPhylum OSS Supply Chain Risk Analysis - INCOMPLETE WITH FAILURE\n\n![image](https://user-images.githubusercontent.com/18729796/232165295-61a4800b-0f3b-46b8-9c4b-1215b1aab83a.png)\n\n---\n\nPhylum OSS Supply Chain Risk Analysis - INCOMPLETE\n\n![image](https://user-images.githubusercontent.com/18729796/232165075-25116fb4-7706-4ebf-948c-9b593c7cd28b.png)\n\n---\n\n## Alternatives\n\nThe default `phylum-ci` Docker image contains `git` and the installed `phylum` Python package. It also contains an\ninstalled version of the Phylum CLI and all required tools needed for [lockfile generation][lockfile_generation].\nAn advantage of using the default Docker image is that the complete environment is packaged and made available with\ncomponents that are known to work together.\n\nOne disadvantage to the default image is its size. It can take a while to download and may provide more tools than\nrequired for your specific use case. Special `slim` tags of the `phylum-ci` image are provided as an alternative.\nThese tags differ from the default image in that they do not contain the required tools needed for\n[lockfile generation][lockfile_generation] (with the exception of the `pip` tool). The `slim` tags are significantly\nsmaller and allow for faster action run times. They are useful for those instances where **no** manifest files are\npresent and/or **only** lockfiles are used.\n\nUsing the slim image tags is possible by altering your workflow to use the image directly instead of this GitHub\nAction. That is possible with either [container jobs](#container-jobs) or [container steps](#container-steps).\n\n### Container Jobs\n\nGitHub Actions allows for workflows to run a job within a container, using the `container:` statement in the workflow\nfile. These are known as container jobs. More information can be found in GitHub documentation:\n[\"Running jobs in a container\"][container_job]. To use a `slim` tag in a container job, use this minimal configuration:\n\n```yaml\nname: Phylum_analyze\non: pull_request\njobs:\n  analyze_deps:\n    name: Analyze dependencies with Phylum\n    permissions:\n      contents: read\n      pull-requests: write\n    runs-on: ubuntu-latest\n    container:\n      image: docker://ghcr.io/phylum-dev/phylum-ci:slim\n      env:\n        GITHUB_TOKEN: ${{ github.token }}\n        PHYLUM_API_KEY: ${{ secrets.PHYLUM_TOKEN }}\n    steps:\n      - name: Checkout the repo\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n      - name: Analyze dependencies\n        run: phylum-ci -vv\n```\n\nThe `image:` value is set to the latest slim image, but other tags are available to ensure a specific release of the\n`phylum-ci` project and a specific version of the Phylum CLI. The full list of available `phylum-ci` image tags can be\nviewed on [GitHub Container Registry][ghcr_tags] (preferred) or [Docker Hub][docker_hub_tags].\n\nThe `GITHUB_TOKEN` and `PHYLUM_API_KEY` environment variables are required to have those exact names. The rest of the\noptions are the same as [already documented](#getting-started).\n\n[container_job]: https://docs.github.com/actions/using-jobs/running-jobs-in-a-container\n[ghcr_tags]: https://github.com/phylum-dev/phylum-ci/pkgs/container/phylum-ci\n[docker_hub_tags]: https://hub.docker.com/r/phylumio/phylum-ci/tags\n\n### Container Steps\n\nGitHub Actions allows for workflows to run a step within a container, by specifying that container image in the `uses:`\nstatement of the workflow step. These are known as container steps. More information can be found in\n[GitHub workflow syntax documentation][container_step]. To use a `slim` tag in a container step, use this minimal\nconfiguration:\n\n```yaml\nname: Phylum_analyze\non: pull_request\njobs:\n  analyze_deps:\n    name: Analyze dependencies with Phylum\n    permissions:\n      contents: read\n      pull-requests: write\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout the repo\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n      - name: Analyze dependencies\n        uses: docker://ghcr.io/phylum-dev/phylum-ci:slim\n        env:\n          GITHUB_TOKEN: ${{ github.token }}\n          PHYLUM_API_KEY: ${{ secrets.PHYLUM_TOKEN }}\n        with:\n          args: phylum-ci -vv\n```\n\nThe `uses:` value is set to the latest slim image, but other tags are available to ensure a specific release of the\n`phylum-ci` project and a specific version of the Phylum CLI. The full list of available `phylum-ci` image tags can be\nviewed on [GitHub Container Registry][ghcr_tags] (preferred) or [Docker Hub][docker_hub_tags].\n\nThe `GITHUB_TOKEN` and `PHYLUM_API_KEY` environment variables are required to have those exact names. The rest of the\noptions are the same as [already documented](#getting-started).\n\n[container_step]: https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses\n\n## FAQs\n\n\u003e 💡 **INFO** 💡\n\u003e\n\u003e There are more FAQs in the [Phylum Knowledge Base][phylum_kb].\n\n[phylum_kb]: https://docs.phylum.io/knowledge_base/faq\n\n### Why does Phylum report a failing status check if it shows successful analysis?\n\nIt is possible to get a successful Phylum analysis on the PR **and also** have the Phylum action report a failing\nstatus check. This happens when one or more dependency files fails the filtering process while at least one\ndependency file passes the filtering process **and** the Phylum analysis.\n\nThe failing status check is meant to serve as an indication to the repository owner that an issue exists with at least\none of the dependency files submitted, whether they intended it or not. The reasoning is that it is better to be\nexplicit about possible failures, allowing for review of the logs and correction, than to silently ignore the failure\nand possibly allow untrusted code into the repository. An [option is provided][script_options] to explicitly ignore\nnon-analysis warnings and errors that would otherwise affect the exit code.\n\nThere are several reasons a dependency file may fail the filtering process and each failure will be included in the logs\nas a warning. The file may not exist or it may exist, but only as an empty file. The file may fail to be parsed by\nPhylum. The dependency files can be manifests or lockfiles and they can either be provided explicitly or automatically\ndetected when not provided. Sometimes the automatic detection will misattribute a file as a manifest or assign the wrong\nlockfile type. As detailed in the [\"Supported Dependency Files\"](#supported-dependency-files) section, the\nrecommendation for this situation is to specify the path and lockfile type explicitly in a [`.phylum_project` file] at\nthe root of the project repository.\n\n### Why does analysis fail for PRs from forked repositories?\n\nAnother reason why Phylum reports\n[failing status checks](#why-does-phylum-report-a-failing-status-check-if-it-shows-successful-analysis) is for\n`pull_request_target` events where manifests are provided. Using `pull_request_target` events for forked repositories\nhas security implications if done improperly. Attackers may be able to obtain repository write permissions or steal\nrepository secrets. A more comprehensive enumeration of the risks can be found here:\n\n* GitHub Security Lab: [\"Preventing pwn requests\"][gh_pwn]\n* GitGuardian: [\"GitHub Actions Security Best Practices\"][gha_security]\n\nThis GitHub action disables lockfile generation to prevent arbitrary code execution in an untrusted context, like PRs\nfrom forks. This means that provided manifests are unable to be parsed by Phylum since parsing first requires generating\na lockfile from the manifest. A unique error code and warning message is provided so as to better signal the\nimplication: the resolved dependencies from the manifest have NOT been analyzed by Phylum. Care should be taken to\ninspect changes manually before allowing a manifest to be used in a trusted context.\n\n## License\n\nCopyright (C) 2022  Phylum, Inc.\n\nThis program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public\nLicense as published by the Free Software Foundation, either version 3 of the License or any later version.\n\nThis program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied\nwarranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License along with this program.\nIf not, see \u003chttps://www.gnu.org/licenses/gpl.html\u003e or write to `support@veracode.com`.\n\n## Contributing\n\nSuggestions and help are welcome. Feel free to open an issue or otherwise contribute.\nMore information is available on the [contributing documentation][contributing] page.\n\n[contributing]: https://github.com/phylum-dev/phylum-analyze-pr-action/blob/main/CONTRIBUTING.md\n\n## Code of Conduct\n\nEveryone participating in the `phylum-analyze-pr-action` project, and in particular in the issue tracker and pull\nrequests, is expected to treat other people with respect and more generally to follow the guidelines articulated in the\n[Code of Conduct][CoC].\n\n## Security Disclosures\n\nFound a security issue in this repository? See the [security policy][security]\nfor details on coordinated disclosure.\n\n[security]: https://github.com/phylum-dev/phylum-analyze-pr-action/blob/main/SECURITY.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphylum-dev%2Fphylum-analyze-pr-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphylum-dev%2Fphylum-analyze-pr-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphylum-dev%2Fphylum-analyze-pr-action/lists"}