{"id":20189380,"url":"https://github.com/redhat-actions/crda","last_synced_at":"2025-06-26T22:33:26.312Z","repository":{"id":38455516,"uuid":"390247570","full_name":"redhat-actions/crda","owner":"redhat-actions","description":"Scan your project's dependencies with Code Ready Dependency Analytics","archived":false,"fork":false,"pushed_at":"2022-12-29T14:27:57.000Z","size":1040,"stargazers_count":15,"open_issues_count":2,"forks_count":12,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-06-04T20:57:46.076Z","etag":null,"topics":["crda","github-actions","sarif-report","security","security-analysis","security-automation"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/codeready-dependency-analytics","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redhat-actions.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-07-28T06:58:13.000Z","updated_at":"2025-02-22T23:52:42.000Z","dependencies_parsed_at":"2023-01-11T17:21:32.450Z","dependency_job_id":null,"html_url":"https://github.com/redhat-actions/crda","commit_stats":{"total_commits":106,"total_committers":2,"mean_commits":53.0,"dds":"0.23584905660377353","last_synced_commit":"6310ee94a6ac8f76b4152b7267c6cd7f1277052c"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/redhat-actions/crda","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fcrda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fcrda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fcrda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fcrda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redhat-actions","download_url":"https://codeload.github.com/redhat-actions/crda/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-actions%2Fcrda/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260768873,"owners_count":23059957,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crda","github-actions","sarif-report","security","security-analysis","security-automation"],"created_at":"2024-11-14T03:36:33.423Z","updated_at":"2025-06-26T22:33:26.237Z","avatar_url":"https://github.com/redhat-actions.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CodeReady Dependency Analytics (crda)\n\n[![CI Checks](https://github.com/redhat-actions/crda/actions/workflows/ci.yml/badge.svg)](https://github.com/redhat-actions/crda/actions/workflows/ci.yml)\n[![Link checker](https://github.com/redhat-actions/crda/actions/workflows/link_checker.yml/badge.svg)](https://github.com/redhat-actions/crda/actions/workflows/link_checker.yml)\n\u003cbr\u003e\n\u003cbr\u003e\n[![Scan Golang project](https://github.com/redhat-actions/crda/actions/workflows/scan_go.yml/badge.svg)](https://github.com/redhat-actions/crda/actions/workflows/scan_go.yml)\n[![Scan Java project](https://github.com/redhat-actions/crda/actions/workflows/scan_java.yml/badge.svg)](https://github.com/redhat-actions/crda/actions/workflows/scan_java.yml)\n[![Scan Node projects](https://github.com/redhat-actions/crda/actions/workflows/scan_node.yml/badge.svg)](https://github.com/redhat-actions/crda/actions/workflows/scan_node.yml)\n[![Scan Python project](https://github.com/redhat-actions/crda/actions/workflows/scan_python.yml/badge.svg)](https://github.com/redhat-actions/crda/actions/workflows/scan_python.yml)\n\u003cbr\u003e\n\u003cbr\u003e\n[![tag badge](https://img.shields.io/github/v/tag/redhat-actions/crda)](https://github.com/redhat-actions/crda/tags)\n[![license badge](https://img.shields.io/github/license/redhat-actions/crda)](./LICENSE)\n[![size badge](https://img.shields.io/github/size/redhat-actions/crda/dist/index.js)](./dist)\n\n**crda** is a GitHub Action which uses [**CodeReady Dependency Analytics**](https://github.com/fabric8-analytics/cli-tools/blob/main/docs/cli_README.md) to analyze vulnerabilities in a project's dependencies.\n\nThe scan's result is uploaded to the GitHub repository as a [SARIF](https://sarifweb.azurewebsites.net/) file, and vulnerabilities found are reported to repository maintainers in the **Security** tab.\n\nCRDA supports Go, Java, Node.js, and Python projects.\n\nCRDA is [integrated with Snyk](https://snyk.io/blog/snyk-integration-with-red-hat-codeready-dependency-analytics/) to provide excellent analysis by referencing a database of known vulnerabilities.\n\nRead more about CRDA in [this blog post](https://developers.redhat.com/blog/2020/08/28/vulnerability-analysis-with-red-hat-codeready-dependency-analytics-and-snyk).\n\n\u003ca id=\"prerequisites\"\u003e\u003c/a\u003e\n\n## Configuration\n\nYou can refer to [the examples in this repository](./.github/workflows) for a simple example of scanning each supported language. Or, skip to the [example below](#example).\n\n### 1. Set up the tool stack\nUnless already done, you must set up the tool stack for your project.\n\nRefer to the setup actions for:\n  - [Go](https://github.com/actions/setup-go)\n  - [Java](https://github.com/actions/setup-java)\n  - [Node.js](https://github.com/actions/setup-node)\n  - [Python](https://github.com/actions/setup-python)\n\n### 2. Install the CRDA command line interface\nUse the [**OpenShift Tools Installer**](https://github.com/redhat-actions/openshift-tools-installer) to install the CRDA CLI from GitHub.\n\n```yaml\n- name: Install CRDA\n  uses: redhat-actions/openshift-tools-installer@v1\n  with:\n    source: github\n    crda: latest\n```\n\n\u003ca id=\"installing-dependencies\"\u003e\u003c/a\u003e\n### 3. Installing Dependencies\nThe project must have a dependencies manifest file which CRDA can read to install and analyze dependencies.\n\nBy default, CRDA will install dependencies using a standard command for the project type as described in the table below. This can be overridden with the `deps_install_cmd` input.\n\nUse the `manifest_directory` input if your project is not in the working directory. The install command will execute in this directory.\n\nUse the `manifest_file` input if your manifest file is named differently than the table below. The file must exist in the `manifest_directory`. If this input is omitted, the `manifest_directory` will be searched for the files in the table below.\n\nRefer to the [Action Inputs](#action-inputs) section for more information.\n\n| Project Type   | Default `manifest_file` | Default Install Command |\n| -------------- | --------------------- | ---------------------------- |\n| Go             | `go.mod`            | `go mod tidy`              |\n| Java           | `pom.xml`           | `mvn -ntp -B package`     |\n| Node.js (npm)  | `package.json`, `package-lock.json` | `npm ci` |\n| Node.js (yarn) | `package.json`, `yarn.lock` | `yarn install --frozen-lockfile` |\n| Python         | `requirements.txt` | `pip install -r requirements.txt` |\n\n\u003ca id=\"authentication\"\u003e\u003c/a\u003e\n### 4. Set Up Authentication\n\nFor authentication, you must provide either a CRDA Key or a Synk Token.\n\n\u003c!-- markdown-link-check-disable-line --\u003e The token must be stored in a [repository secret](https://docs.github.com/en/actions/reference/encrypted-secrets).\n\n#### Snyk Token\n1. [Sign up for Synk](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020\u0026utm_source=code_ready\u0026code_ready=FF1B53D9-57BE-4613-96D7-1D06066C38C9).\n2. Click through the wizard. You do not need to provide it any permissions if you don't want to.\n3. Go to `Account settings` to find your Synk Token (aka \"key\").\n4. Provide the token in the `synk_token` input.\n\n#### CRDA Key (Optional)\n1. First, obtain a Snyk token.\n2. [Install the CRDA CLI locally](https://github.com/fabric8-analytics/cli-tools/blob/main/docs/cli_README.md)\n3. Run `crda auth`. Provide the Snyk token so the CRDA Key can also access the Synk database.\n4. Extracted the CRDA Key from the output or `$HOME/.crda/config.yaml`.\n5. Provide the CRDA Key in the `crda_key` input.\n\nYou only need to provide one of the two authentication tokens.\n\n\u003ca href=\"example\"\u003e\u003c/a\u003e\n## Example\n\nThe example workflow job below shows how the **crda** action can be used to scan vulnerabilities in a Node.js project and upload the result to GitHub.\n\n```yaml\nsteps:\n - name: Checkout\n   uses: actions/checkout@v2\n   with:\n    repository: nodejs/examples\n\n- name: Set up Node.js\n  uses: actions/setup-node@v2\n  with:\n    node-version: '14'\n\n- name: Install CRDA\n  uses: redhat-actions/openshift-tools-installer@v1\n  with:\n    source: github\n    crda: latest\n\n- name: CRDA Scan\n  id: crda_scan\n  uses: redhat-actions/crda@v1\n  with:\n    crda_key: ${{ secrets.CRDA_KEY }}\n\n- name: Print Report Link\n  run: echo ${{ steps.crda_scan.outputs.report_link }}\n```\nThe following snapshot is an example of a CRDA run on a Node.js project.\n\n![Workflow run](./images/workflow_run.png)\n\n\u003ca id=\"action-inputs\"\u003e\u003c/a\u003e\n## Action Inputs\n\n| Input | Description | Default |\n| ----- | ----------- | --------- |\n| crda_key | Existing CRDA key to identify the existing user. | **Required** unless `synk_token` is set\n| snyk_token | Snyk token to be used to authenticate to the CRDA | **Required** unless `crda_key` is set\n| analysis_report_name | Name of the analysis report files. A `.json` and a `.sarif` file will be created. | `crda_analysis_report`\n| consent_telemetry | CRDA collects anonymous usage data. Enable this to help make CRDA better for our users. Refer to the [privacy statement](https://developers.redhat.com/article/tool-data-collection) for more details. | `false`\n| deps_install_cmd | Command to use for the dependencies installation instead of using the default. | [View defaults](#installing-dependencies)\n| fail_on | Configure if the workflow should fail if a vulnerability of this level or higher is found in the project. This can be `error` to fail only on errors, `warning` to fail on warnings or errors, or `never` to always pass the step.| `error`\n| github_token | GitHub token used to upload the SARIF report to GitHub. The token must have `security_events` write permission. | [`${{ github.token }}`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow#about-the-github_token-secret) \u003c!-- markdown-link-check-disable-line --\u003e\n| manifest_directory | Path to the directory where the project's manifest is. | Working directory\n| manifest_file | File name (basename) of the manifest file to use for analysis. This file must exist in the `manifest_directory`. If not specified, the action will scan the `manifest_directory` for any of the expected manifest files. | [View defaults](#installing-dependencies) |\n| upload_sarif | Whether or not to upload the generated SARIF file. If this is disabled, vulnerabilities will not be reported in the Security tab. | `true`\n| upload_artifact | Upload the generated SARIF and JSON file as an artifact. | `true`\n| artifact_name | File name of the artifact to upload. By default it is named as 'crda_report' | `crda_report`\n\n## Action Outputs\n\n- **crda_report_json**: Path to generated CRDA analysis report in JSON format.\n- **crda_report_sarif**: Path to generated CRDA analysis report in SARIF format.\n- **report_link**: CRDA Analysis report link.\n- **artifact_name**: Name of the uploaded artifact.\n\n\u003ca id=\"pr-support\"\u003e\u003c/a\u003e\n\n## Scanning Pull Requests\n\nThis action can run CRDA scans on pull requests. Because the action must check out the pull request's code in order to scan it, the [`pull_request_target` trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target) must be used. \u003c!-- markdown-link-check-disable-line --\u003e\n\nSince the pull request's code will be checked out in order to install dependencies, repository maintainers must **manually verify** that the pull request does not include any malicious code before the scan can run. Maintainers can approve the CRDA scan by adding the `CRDA Scan Approved` label.\n\nEach time a new commit is pushed to the pull request, the `Approved` label will be removed. A maintainer must review the code again and re-add the label, to prevent malicious code from executing due to the prior approval.\n\nAfter the CRDA scan is approved and the workflow runs, a label indicating the scan result will be added to the pull request.\n\nThe following snapshot shows vulnerability details in the GitHub UI for a pull request.\n\n![PR vulnerability details](./images/vul_details.png)\n\n\u003e **Note**: Pull requests authored by users with write access to the repository will automatically receive the `CRDA Scan Approved` label.\n\nUse the following snippet to enable pull request scans in your repository:\n``` yaml\non:\n  pull_request_target:\n    # These types are all required for CRDA to scan pull requests correctly and securely.\n    types: [ opened, synchronize, reopened, labeled, edited ]\n```\n\nRead more about this action in [RedHat Developer blog post](https://developers.redhat.com/articles/2021/11/30/automate-dependency-analytics-github-actions).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-actions%2Fcrda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredhat-actions%2Fcrda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-actions%2Fcrda/lists"}