{"id":15011567,"url":"https://github.com/tonycknight/pkgchk-action","last_synced_at":"2026-01-02T17:21:01.815Z","repository":{"id":219586961,"uuid":"749404802","full_name":"tonycknight/pkgchk-action","owner":"tonycknight","description":"A Github action to run .net package dependency checks, and display results in a Github pull request.","archived":false,"fork":false,"pushed_at":"2025-09-20T09:45:06.000Z","size":183,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-20T11:34:26.611Z","etag":null,"topics":["ci","dotnet","nuget","sca"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tonycknight.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-01-28T13:47:54.000Z","updated_at":"2025-09-20T09:44:09.000Z","dependencies_parsed_at":"2024-03-09T15:33:47.257Z","dependency_job_id":"92a6ccbd-2ae8-4cef-97f5-5ad73ee6ae01","html_url":"https://github.com/tonycknight/pkgchk-action","commit_stats":{"total_commits":18,"total_committers":1,"mean_commits":18.0,"dds":0.0,"last_synced_commit":"4d85620480762f1982fac8b86ed75e424ab07628"},"previous_names":["tonycknight/pkgchk-action"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/tonycknight/pkgchk-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tonycknight","download_url":"https://codeload.github.com/tonycknight/pkgchk-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276091394,"owners_count":25583693,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-20T02:00:10.207Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","dotnet","nuget","sca"],"created_at":"2024-09-24T19:41:15.959Z","updated_at":"2026-01-02T17:21:01.808Z","avatar_url":"https://github.com/tonycknight.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# pkgchk-action\n\nA Github action to perform .Net package dependency checks \u0026 PRs.\n\n![Vulnerabilities](./docs/Vulnerabilities1.png)\n\n![Vulnerabilities](./docs/Vulnerabilities2.png)\n\n\n## How to use\n\nSimply include the action in your workflow like so:\n\n```yaml\n- uses: actions/checkout@v6\n\n- name: Run SCA\n  uses: tonycknight/pkgchk-action@v1\n```\n\nUse the step in your PR checks, or in your regular build workflow checks:\n\n![Checks](./docs/WorkflowChecks1.png)\n\nOutstanding upgrades can be searched for, and builds stopped if any are found:\n\n![Checks](./docs/upgrades1.png)\n\n:warning: This action only works with .Net SDK 8 or later. Check your [`global.json`](https://learn.microsoft.com/en-us/dotnet/core/tools/global-json) and other settings to avoid incompatibilities.\n\n## What the options mean\n\n### Scanning for vulnerabilities\n\nThe main options you'll need to provide are below. Most options have defaults applied, giving scans for high to critical vulnerabilities.\n\n| The option  | What's it for?  | What's the default? |\n| - | - | - |\n| `project-path` | The relative path to the solution or project | The solution file in the working directory.  |\n| `scan-issues` | To scan vulnerabilities, deprecations, etc. | `true` |\n| `deprecated` | Include deprecated packages in the scan | `false` |\n| `vulnerable` | Include vulnerable packages in the scan | `true` |\n| `transitives` | Include transitive packages in the scan | `true` |\n| `fail-on-critical` | Fail scans if critical severity vulnerabilities or deprecation reasons are found | `true` |\n| `fail-on-high` | Fail scans if high severity vulnerabilities are found | `true` |\n| `fail-on-moderate` | Fail scans if moderate severity vulnerabilities are found | `false` |\n| `fail-on-legacy` | Fail scans if packages are found to be deprecated for legacy reasons | `false` |\n| `github-title` | The title to give to the PR Vulnerabilities report | `Package vulnerabilities` |\n\n### Checking for upgrades\n\nIf you want to check for outstanding upgrades, these additional options are available:\n\n| The option  | What's it for?  | What's the default? |\n| - | - | - |\n| `project-path` | The relative path to the solution or project | The solution file in the working directory.  |\n| `scan-upgrades` | To scan for upgrades | `false` |\n| `fail-on-upgrades` | Set to `true` to stop builds with outstanding upgrades. | `false` |\n| `github-upgrade-title` | The title to give to the PR upgrades report | `Package upgrades` |\n\n### Common options\n\nSome options are available to control the action's credentials, tracing, etc. You shouldn't need to use this in most cases.\n\n| The option  | What's it for?  | What's the default? |\n| - | - | - |\n| `pass-img` | URI of a report image for successful scans | |\n| `fail-img` | URI of a report image for failed scans | |\n| `restore-solution` | Restore the solution or project | `true` |\n| `restore-tools` | Restore tools | `true` |\n| `github-token` | A github token to push reports to PRs | `github.token` |\n| `repo` | The repository name in `owner/repo` form | `github.repository` |\n| `prid` | The pull request ID | `github.event.number` | \n| `commit-hash` | The Github commit hash | `github.sha` |\n| `trace` | Output trace logging to the console | `false` |\n\n\n## Some examples\n\n### What's the minimum I need?\n\nYou'll need to first `checkout` the repository. The default options will scan for High and Critical vulnerabilities.\n\n```yaml\n- uses: actions/checkout@v6\n\n- name: Run SCA\n  uses: tonycknight/pkgchk-action@v1\n```\n\n### I want to scan a specific project...\n\n```yaml\n- uses: actions/checkout@v6\n\n- name: Run SCA\n  uses: tonycknight/pkgchk-action@v1\n  with:\n    project-path: src/testproj.csproj\n```\n\n### I want to scan for every possible problem and stop builds...\n\nEasy: ensure `vulnerable`, `deprecated` \u0026 `transitives` are `true`, and all the `fail-on-` options are also `true`:\n\n```yaml\n- uses: actions/checkout@v6\n\n- name: Run SCA\n  uses: tonycknight/pkgchk-action@v1\n  with:\n    scan-issues: true\n    scan-upgrades: true\n    vulnerable: true\n    deprecated: true\n    transitives: true\n    fail-on-critical: true\n    fail-on-high: true\n    fail-on-moderate: true\n    fail-on-legacy: true\n    fail-on-upgrades: true\n```\n\n### I want to scan for every possible problem with only reports...\n\nEasy: ensure `vulnerable`, `deprecated` \u0026 `transitives` are `true`, and all the `fail-on-` options are also `false`:\n\n```yaml\n- uses: actions/checkout@v6\n\n- name: Run SCA\n  uses: tonycknight/pkgchk-action@v1\n  with:\n    scan-issues: true\n    scan-upgrades: true\n    vulnerable: true\n    deprecated: true\n    transitives: true\n    fail-on-critical: false\n    fail-on-high: false\n    fail-on-moderate: false\n    fail-on-legacy: false\n    fail-on-upgrades: false\n```\n\n### I want to put images on the report\n\nSimple: just set URLs to the `pass-img` and `fail-img` parameters, like so:\n\n```yaml\n- uses: actions/checkout@v6\n\n- name: Run SCA\n  uses: tonycknight/pkgchk-action@v1\n  with:\n    pass-img: https://media.tenor.com/4h0Z--sGHgsAAAAC/jason-momoa-folding-chair.gif\n    fail-img: https://i.pinimg.com/474x/b4/74/fe/b474fe41f458a648fcfac0145a4dbd2e.jpg\n```\n\n### I have a private nuget repository\n\n[Set up .net](https://github.com/actions/setup-dotnet?tab=readme-ov-file#setting-up-authentication-for-nuget-feeds) before scanning:\n\n```yaml\n- uses: actions/checkout@v6\n\n- name: Add nuget source\n  uses: actions/setup-dotnet@v4\n  with:\n    source-url: https://nuget.pkg.github.com/\u003cowner\u003e/index.json\n  env:\n    NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}\n\n- name: Run SCA\n  uses: tonycknight/pkgchk-action@v1\n```\n\n## Licence\n\n`pkgchk-action` is licenced under MIT.\n\nFor `pkgchk-cli` refer to [its own licencing](https://github.com/tonycknight/pkgchk-cli).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftonycknight%2Fpkgchk-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftonycknight%2Fpkgchk-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftonycknight%2Fpkgchk-action/lists"}