{"id":13692162,"url":"https://github.com/rob-derosa/package-policy","last_synced_at":"2026-04-25T21:32:09.818Z","repository":{"id":36969423,"uuid":"288048057","full_name":"rob-derosa/package-policy","owner":"rob-derosa","description":"A GitHub action to enforce that only approved packages are used within a project by providing an allow or prohibit list of packages.","archived":false,"fork":false,"pushed_at":"2023-01-25T06:13:59.000Z","size":2514,"stargazers_count":1,"open_issues_count":21,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-11T18:36:56.292Z","etag":null,"topics":["github-actions","package-control","package-management","package-policy","whitelist"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rob-derosa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-08-17T00:27:09.000Z","updated_at":"2022-08-22T18:31:05.000Z","dependencies_parsed_at":"2023-02-14T05:16:43.054Z","dependency_job_id":null,"html_url":"https://github.com/rob-derosa/package-policy","commit_stats":{"total_commits":47,"total_committers":3,"mean_commits":"15.666666666666666","dds":"0.12765957446808507","last_synced_commit":"7171ac2eb77276c9a921f295f753e68673d37d56"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/rob-derosa/package-policy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rob-derosa%2Fpackage-policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rob-derosa%2Fpackage-policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rob-derosa%2Fpackage-policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rob-derosa%2Fpackage-policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rob-derosa","download_url":"https://codeload.github.com/rob-derosa/package-policy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rob-derosa%2Fpackage-policy/sbom","scorecard":{"id":779670,"data":{"date":"2025-08-11","repo":{"name":"github.com/rob-derosa/package-policy","commit":"7171ac2eb77276c9a921f295f753e68673d37d56"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.8,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/14 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/enforce-package-policy.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/rob-derosa/package-policy/enforce-package-policy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/enforce-package-policy.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rob-derosa/package-policy/enforce-package-policy.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue_notifier.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/rob-derosa/package-policy/issue_notifier.yml/main?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/enforce-package-policy.yml:1","Warn: no topLevel permission defined: .github/workflows/issue_notifier.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during GetBranch(v1): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 19 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"48 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-mfwh-5m23-j46w","Warn: Project is vulnerable to: GHSA-7r3h-m5j6-3q42","Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c","Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-8r6j-v8pm-fqw3","Warn: Project is vulnerable to: MAL-2023-462","Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6","Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj","Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37","Warn: Project is vulnerable to: GHSA-896r-f27r-55mw","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-w7rc-rwvf-8q5r","Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g","Warn: Project is vulnerable to: GHSA-5fw9-fq32-wv5p","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9","Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw","Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc","Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh","Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p","Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36","Warn: Project is vulnerable to: GHSA-jgrx-mgxx-jf9v","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7","Warn: Project is vulnerable to: GHSA-6fc8-4gx4-v693","Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q","Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh","Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T04:36:52.097Z","repository_id":36969423,"created_at":"2025-08-23T04:36:52.097Z","updated_at":"2025-08-23T04:36:52.097Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32278249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-25T18:29:39.964Z","status":"ssl_error","status_checked_at":"2026-04-25T18:29:32.149Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","package-control","package-management","package-policy","whitelist"],"created_at":"2024-08-02T17:00:54.289Z","updated_at":"2026-04-25T21:32:09.802Z","avatar_url":"https://github.com/rob-derosa.png","language":"TypeScript","funding_links":[],"categories":["Actions"],"sub_categories":[],"readme":"# :package: Package Policy \n\nThis GitHub action allows you to provide a list of packages allowed or prohibited along with versions to be enforced within this repository. If a code push or pull request contains changes to a `package.json` manifest file containing a reference to a package that violates the package policy, a `violations` output value is set containing an array of the offending packages in JSON format.\n\n**Why enforce dependencies?**\n* internal security analysis by SecOps\n* licensing restrictions\n* centralization around standard libraries\n\n\n**Versions can be specified as:**\n* literal - `1.2.5`\n* any version - `*`\n* specific to major and/or minor - `1.2.*`\n\n:shower: Versions are sanitized of any non-numeric characters (`^`, `~`, `v`) before comparison\n\n## :dart: Usage\n\nCreate a `.github/workflows/enforce-package-policy.yml` file:\n\n```yaml\nname: \"Enforce Package Policy\"\non:\n  push:\n  pull_request:\n    types:\n      - opened\n      - edited\njobs:\n  enforce-package-policy:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v2\n      - uses: rob-derosa/package-policy@v1\n        name: \"Check for package violations\"\n        id: package-policy\n        with:\n          policy: allow\n          policy-url: \"https://mycompanywebsite.com/security/allow_policy.json\"\n          fail-if-violations: false\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n      - uses: actions/github-script@v2\n        name: \"Respond to package violations\"\n        with:\n          github-token: ${{secrets.GITHUB_TOKEN}}\n          violations: ${{steps.package-policy.outputs.violations}}\n          script: |\n            const script = require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/package_violation.js`)\n            await script({github, context, core})\n```\n\n#### Sample content of `allow_policy.json`\n```json\n{\n    \"applicationinsights\": \"1.0.8\",\n    \"chokidar\": \"*\",\n    \"graceful-fs\": \"*\",\n    \"http-proxy-agent\": \"^2.1.*\",\n    \"https-proxy-agent\": \"^2.*\",\n    \"iconv-lite-umd\": \"~0.6.8\",\n    \"jschardet\": \"*\",\n    \"keytar\": \"*\",\n    \"minimist\": \"^1.2.5\",\n    \"native-is-elevated\": \"0.4.x\",\n    \"native-keymap\": \"2.1.2\",\n    \"native-watchdog\": \"1.3.*\"\n}\n```\n\n## :pencil: Configuration\n\nThe following inputs are accepted:\n\n- `policy`: Provide either `allow` to treat the policy as an allow list or `prohibit` to treat it as a prohibit list\n- `policy-url`: The remote URL of the policy.json file containing a list of packages and versions allowed or prohibited ([see sample payload](#sample-content-of-allow_policyjson))\n- `fail-if-violations`: set to false if you want this action to refrain from setting the status of this action to **fail** - this allows downstream actions to run\n- `include-dev-dependencies`: set to true if you want to enforce policy against packages under the `devDependencies` node in the `package.json` manifest\n- `github-token`: leave this be :metal: - needed to access the added or modified files\n\n\n## :warning: Responding to Violations\n\nNote that this action only checks to see if package violations are detected and writes that data to the `violations` output. In this sample,\nwe use a downstream action to respond to any violations that occur. By using the `actions/github-script@v2` action, we can execute\nJavascript directly in the yaml workflow. Even cleaner, we can consolidate that logic in it's own file and call it from the yaml workflow.\n\n```yaml\nsteps:\n  ...\n  - uses: actions/github-script@v2\n    name: \"Respond to package violations\"\n    with:\n      github-token: ${{secrets.GITHUB_TOKEN}}\n      violations: ${{steps.package-policy.outputs.violations}}\n      script: |\n        const script = require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/package_violation.js`)\n        await script({github, context, core})\n```\n\nHere we are executing logic contained in the [.github/workflows/package_violation.js](.github/workflows/package_violation.js) file.\nIf a a violation occurs:\n* triggered by code push\n  * an issue will be created, labeled with `Package Violation`, containing a link to the commit, and assigned to the user pushing the code\n* triggered by pull request being opened or updated\n  * the pull request will be labeled with `Package Violation` and a comment is added with violation details\n\nKeeping the response to the violations in a separate step and that logic in its own Javascript file allows for maximum flexibility on how\nyou choose to respond while still providing access to context, core, octokit, io and keeping your yaml nice and tidy.\n\n\n## :boom: In Action\n\n**A commit was made that included an update to the package.json manifest file.**\n![Action Console Log](assets/action_log.png?raw=true)\n\n**Because a violation was detected, a comment is added to the pull request and labeled. If triggered by a code push, a new issue is created and assigned to the user who pushed the code.**\n![Pull request commented on due to violation](assets/pull_request.png?raw=true)\n\n\n### Limitations\n\n* supports Javascript and Typescript projects currently\n\n### Improvements\n\n* provide support for other frameworks (.NET, Ruby, Java, Go)\n* provide support for ignore path filters to allow ignoring specific package manifest files (i.e. backups)\n\n### License\n\nMIT","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frob-derosa%2Fpackage-policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frob-derosa%2Fpackage-policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frob-derosa%2Fpackage-policy/lists"}