{"id":18291173,"url":"https://github.com/rhecosystemappeng/rhda-github-action","last_synced_at":"2026-03-19T03:44:13.150Z","repository":{"id":225775358,"uuid":"766511576","full_name":"RHEcosystemAppEng/rhda-github-action","owner":"RHEcosystemAppEng","description":"This action reflects the Red Hat Dependency Analytics VSCode extension for Github Actions.","archived":false,"fork":false,"pushed_at":"2024-05-22T09:06:50.000Z","size":7930,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-05-22T11:07:06.453Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RHEcosystemAppEng.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-03T13:25:45.000Z","updated_at":"2024-05-27T13:53:34.159Z","dependencies_parsed_at":"2024-05-05T15:22:52.775Z","dependency_job_id":"3463a6d2-3694-40cc-b926-fe5155eee10d","html_url":"https://github.com/RHEcosystemAppEng/rhda-github-action","commit_stats":null,"previous_names":["rhecosystemappeng/rhda-github-action"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/RHEcosystemAppEng/rhda-github-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2Frhda-github-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2Frhda-github-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2Frhda-github-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2Frhda-github-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RHEcosystemAppEng","download_url":"https://codeload.github.com/RHEcosystemAppEng/rhda-github-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2Frhda-github-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28661874,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-05T14:13:25.730Z","updated_at":"2026-01-22T10:36:29.654Z","avatar_url":"https://github.com/RHEcosystemAppEng.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Red Hat Dependency Analytics\n\n[![CI Checks](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/ci.yaml/badge.svg)](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/ci.yaml)\n\u003cbr\u003e\n\u003cbr\u003e\n[![Scan Maven project](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_maven.yaml/badge.svg)](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_maven.yaml)\n[![Scan Gradle project](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_gradle.yaml/badge.svg)](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_gradle.yaml)\n[![Scan Npm project](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_npm.yaml/badge.svg)](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_npm.yaml)\n[![Scan Golang project](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_go.yaml/badge.svg)](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_go.yaml)\n[![Scan Python project](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_python.yaml/badge.svg)](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_python.yaml)\n[![Scan Docker project](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_docker.yaml/badge.svg)](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_docker.yaml)\n[![Scan Podman project](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_podman.yaml/badge.svg)](https://github.com/RHEcosystemAppEng/rhda-github-action/actions/workflows/scan_podman.yaml)\n\u003cbr\u003e\n\u003cbr\u003e\n[![tag badge](https://img.shields.io/github/v/tag/RHEcosystemAppEng/rhda-github-action)](https://github.com/RHEcosystemAppEng/rhda-github-action/tags)\n[![license badge](https://img.shields.io/github/license/RHEcosystemAppEng/rhda-github-action)](./LICENSE)\n[![size badge](https://img.shields.io/github/size/RHEcosystemAppEng/rhda-github-action/dist/index.js)](./dist)\n\nRed Hat Dependency Analytics (RHDA) Github Actions gives you awareness to security concerns when doing code commits to your GitHub repository.\nThe RHDA platform uses vulnerability data sources to report the most up-to-date vulnerability information available.\n\nDependency Analytics uploads a report to the GitHub repository as an artifact, and as a [SARIF](https://sarifweb.azurewebsites.net/) file.\nRepository maintainers can find discovered vulnerabilities on the **Security** tab.\n\n## Supported ecosystems\n\n| Ecosystem | Required Binaries and Prerequisites | Supported Manifests / Files |\n| --------- | ----------------------------------- | --------------------------- |\n| \u003ca href=\"https://www.java.com/\"\u003eJava\u003c/a\u003e - \u003ca href=\"https://maven.apache.org/\"\u003eMaven\u003c/a\u003e | `mvn` | `pom.xml` |\n| \u003ca href=\"https://gradle.org//\"\u003eGradle\u003c/a\u003e - \u003ca href=\"https://gradle.org/install//\"\u003eGradle Installation\u003c/a\u003e | `gradle` | `build.gradle` |\n| \u003ca href=\"https://www.javascript.com//\"\u003eJavaScript\u003c/a\u003e - \u003ca href=\"https://www.npmjs.com//\"\u003eNpm\u003c/a\u003e | `npm` | `package.json` |\n| \u003ca href=\"https://go.dev//\"\u003eGolang\u003c/a\u003e - \u003ca href=\"https://go.dev/blog/using-go-modules//\"\u003eGo Modules\u003c/a\u003e | `go` | `go.mod` |\n| \u003ca href=\"https://go.dev//\"\u003ePython\u003c/a\u003e - \u003ca href=\"https://pypi.org/project/pip//\"\u003epip Installer\u003c/a\u003e | `pip` | `requirements.txt` |\n| [docker](https://docs.docker.com/get-docker/) | [`syft`](https://github.com/anchore/syft?tab=readme-ov-file#installation),[`skopeo`](https://github.com/containers/skopeo/blob/main/install.md), Java version 20 or later | Dockerfile |\n| [Podman](https://podman.io/docs/installation) | [`syft`](https://github.com/anchore/syft?tab=readme-ov-file#installation),[`skopeo`](https://github.com/containers/skopeo/blob/main/install.md), Java version 20 or later | Containerfile |\n\nIn future releases, Red Hat plans to support other programming languages.\n\n## Configuring RHDA GitHub Action\n\nYou can configure GitHub Actions to use RHDA for your coding environment.\nYou can see [examples of scanning](./.github/workflows) for each supported language, or you can use the example below.\n\n* GitHub Actions for your environment:\n  - [Go](https://github.com/actions/setup-go)\n  - [Java](https://github.com/actions/setup-java)\n  - [Node.js](https://github.com/actions/setup-node)\n  - [Python](https://github.com/actions/setup-python)\n  - For `syft` you can use the following script:\n    ```yaml\n    - name: Setup syft\n      run: |\n        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin\n    ```\n  - For `skopeo` you can use the following script:\n    ```yaml\n    - name: Setup skopeo\n      run: |\n        sudo apt-get -y update\n        sudo apt-get -y install skopeo\n    ```\n\n**Procedure**\n\n1. Add the RHDA scanner to your project's GitHub Actions configuration:\n   ```yaml\n   - name: RHDA Scan\n     id: rhda_scan\n     uses: RHEcosystemAppEng/rhda-github-action@main\n   ```\n\n**Example**\n\nThis Node.js example shows you how to use the RHDA scanner, and uploading the results to GitHub.\n\n```yaml\nsteps:\n    - name: Checkout repository\n      uses: actions/checkout@v4\n\n    - name: Setup Node.js\n      uses: actions/setup-node@v4\n      with:\n        node-version: 20\n    \n    - name: RHDA Scan\n      id: rhda_scan\n      uses: RHEcosystemAppEng/rhda-github-action@main\n```\n\nAn example screenshot of a Node.js RHDA scan:\n![Workflow run](./images/workflow_run.png)\n\n## Action Inputs\n\n| Input | Description | Default |\n| ----- | ----------- | --------- |\n| `manifest_directory` | Path to the directory containing the `manifest_file`. | \n| `manifest_file` | Name (`basename`) of the manifest file to analyze. This file must exist in the `manifest_directory`. | \n| `rhda_report_name` | The saved file name of the Red Hat Dependency Analytics report. | `redhat-dependency-analytics-report`\n| `github_token` | GitHub token to upload a SARIF file to the GitHub. | [`${{ github.token }}`](https://docs.github.com/en/actions/reference/authentication-in-a-workflow#about-the-github_token-secret) \u003c!-- markdown-link-check-disable-line --\u003e\n| `upload_sarif` | Upload the generated SARIF file. The default is `true`. If you do not want to upload a SARIF file, then set the input to `false`. | `true`\n| `upload_artifact` | Upload the generated RHDA report JSON file and SARIF file as an artifact. | `true`\n| `artifact_filename` | File name of the artifact to upload. The default name is, `redhat-dependency-analytics-report`.| `redhat-dependency-analytics-report`\n| `fail_on` | A found vulnerability fails the workflow within the project. To fail the workflow when the vulnerability severity level is either `error` or `warning`, set this to `warning`. The default severity level is `error`. If you do not want to fail the action set this input to `never`. | `error`\n| `use_python_virtual_environment` | Automates the installation of missing packages in a Python virtual environment when set to true. | `false`\n| `use_go_mvs` | Use the Minimal Version Selection (MVS) algorithm to select a set of module versions to use when building Go packages. | `false`\n| `enable_python_best_efforts_installation` | Installs Python packages tailored to the Python version in use, disregarding declared versions. This requires setting the `Match Manifest Versions` option to `false`, and the `Use Python Virtual Environment` option to `true`. | `false`\n| `use_pip_dep_tree` | Use lightweight `pipdeptree` command line tool as the data source for building the Python dependency tree. This might significantly enhance analysis time. | `false`\n| `match_manifest_version` | Restricts RHDA from performing analysis on dependency tags that do not match the tags requested within the manifest files. |  `false`\n| `mvn_executable_path` | Specifies absolute path of `mvn` binary. | `mvn` \n| `gradle_executable_path` | Specifies absolute path of `gradle` binary. | `gradle`\n| `npm_executable_path` | Specifies absolute path of `npm` binary. | `npm`\n| `go_executable_path` | Specifies absolute path of `go` binary. | `go`\n| `python3_executable_path` | Specifies absolute path of `python3` binary, `python3` takes precedence over `python`. | `python3`\n| `pip3_executable_path` | Specifies absolute path of `pip3` binary, `pip3` takes precedence over `pip`. | `pip3`\n| `python_executable_path` | Specifies absolute path of `python` binary, `python3` takes precedence over `python`. | `python`\n| `pip_executable_path` | Specifies absolute path of `pip` binary, `pip3` takes precedence over `pip`. | `pip`\n| `syft_executable_path` | Specifies absolute path of `syft` binary. | `syft`\n| `syft_config_path` | Specifies absolute path to the Syft configuration file. | \n| `skopeo_executable_path` | Specifies absolute path of `skopeo` binary. | `skopeo`\n| `skopeo_config_path` | Specifies absolute path to the authentication file used by `skopeo inspect`. | \n| `docker_executable_path` | Specifies absolute path of `docker` binary. | `docker`\n| `podman_executable_path` | Specifies absolute path of `podman` binary. | `podman`\n| `image_platform` | Specifies platform used for multi-arch images. |\n\n## Action Outputs\n\n- **rhda_report_json**: Path to the generated Red Hat Dependency Analytics report in JSON format.\n- **rhda_report_sarif**: Path to the generated Red Hat Dependency Analytics report in SARIF format.\n- **artifact_id**: The identifier of the uploaded artifact.\n\n## Scanning Pull Requests\n\n\u003cbr \u003eThis action can also run RHDA scans on pull requests.\nBecause the action must check out the pull request's code to scan it, you must use a [`pull_request_target` trigger](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target).\n\n\u003cbr \u003eAfter the workflow runs, and labels the scanning results to the pull request.\n\nThe following screenshot shows vulnerability details in the GitHub UI for a pull request.\n![PR vulnerability details](./images/vul_details.png)\n\nUse the following snippet to enable pull request scans in your repository:\n\n``` yaml\non:\n  pull_request_target:\n    # These types are all required for RHDA to scan pull requests correctly and securely.\n    types: [ opened, synchronize, reopened, labeled, edited ]\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhecosystemappeng%2Frhda-github-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frhecosystemappeng%2Frhda-github-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhecosystemappeng%2Frhda-github-action/lists"}