https://github.com/tonycknight/pkgchk-action
A Github action to run .net package dependency checks, and display results in a Github pull request.
https://github.com/tonycknight/pkgchk-action
ci dotnet nuget sca
Last synced: 5 months ago
JSON representation
A Github action to run .net package dependency checks, and display results in a Github pull request.
- Host: GitHub
- URL: https://github.com/tonycknight/pkgchk-action
- Owner: tonycknight
- License: mit
- Created: 2024-01-28T13:47:54.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-09-20T09:45:06.000Z (9 months ago)
- Last Synced: 2025-09-20T11:34:26.611Z (9 months ago)
- Topics: ci, dotnet, nuget, sca
- Homepage:
- Size: 179 KB
- Stars: 3
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# pkgchk-action
A Github action to perform .Net package dependency checks & PRs.
## How to use
Simply include the action in your workflow like so:
```yaml
- uses: actions/checkout@v6
- name: Run SCA
uses: tonycknight/pkgchk-action@v1
```
Use the step in your PR checks, or in your regular build workflow checks:
Outstanding upgrades can be searched for, and builds stopped if any are found:
:warning: This action only works with .Net SDK 8 or later. Check your [`global.json`](https://learn.microsoft.com/en-us/dotnet/core/tools/global-json) and other settings to avoid incompatibilities.
## What the options mean
### Scanning for vulnerabilities
The main options you'll need to provide are below. Most options have defaults applied, giving scans for high to critical vulnerabilities.
| The option | What's it for? | What's the default? |
| - | - | - |
| `project-path` | The relative path to the solution or project | The solution file in the working directory. |
| `scan-issues` | To scan vulnerabilities, deprecations, etc. | `true` |
| `deprecated` | Include deprecated packages in the scan | `false` |
| `vulnerable` | Include vulnerable packages in the scan | `true` |
| `transitives` | Include transitive packages in the scan | `true` |
| `fail-on-critical` | Fail scans if critical severity vulnerabilities or deprecation reasons are found | `true` |
| `fail-on-high` | Fail scans if high severity vulnerabilities are found | `true` |
| `fail-on-moderate` | Fail scans if moderate severity vulnerabilities are found | `false` |
| `fail-on-legacy` | Fail scans if packages are found to be deprecated for legacy reasons | `false` |
| `github-title` | The title to give to the PR Vulnerabilities report | `Package vulnerabilities` |
### Checking for upgrades
If you want to check for outstanding upgrades, these additional options are available:
| The option | What's it for? | What's the default? |
| - | - | - |
| `project-path` | The relative path to the solution or project | The solution file in the working directory. |
| `scan-upgrades` | To scan for upgrades | `false` |
| `fail-on-upgrades` | Set to `true` to stop builds with outstanding upgrades. | `false` |
| `github-upgrade-title` | The title to give to the PR upgrades report | `Package upgrades` |
### Common options
Some options are available to control the action's credentials, tracing, etc. You shouldn't need to use this in most cases.
| The option | What's it for? | What's the default? |
| - | - | - |
| `pass-img` | URI of a report image for successful scans | |
| `fail-img` | URI of a report image for failed scans | |
| `restore-solution` | Restore the solution or project | `true` |
| `restore-tools` | Restore tools | `true` |
| `github-token` | A github token to push reports to PRs | `github.token` |
| `repo` | The repository name in `owner/repo` form | `github.repository` |
| `prid` | The pull request ID | `github.event.number` |
| `commit-hash` | The Github commit hash | `github.sha` |
| `trace` | Output trace logging to the console | `false` |
## Some examples
### What's the minimum I need?
You'll need to first `checkout` the repository. The default options will scan for High and Critical vulnerabilities.
```yaml
- uses: actions/checkout@v6
- name: Run SCA
uses: tonycknight/pkgchk-action@v1
```
### I want to scan a specific project...
```yaml
- uses: actions/checkout@v6
- name: Run SCA
uses: tonycknight/pkgchk-action@v1
with:
project-path: src/testproj.csproj
```
### I want to scan for every possible problem and stop builds...
Easy: ensure `vulnerable`, `deprecated` & `transitives` are `true`, and all the `fail-on-` options are also `true`:
```yaml
- uses: actions/checkout@v6
- name: Run SCA
uses: tonycknight/pkgchk-action@v1
with:
scan-issues: true
scan-upgrades: true
vulnerable: true
deprecated: true
transitives: true
fail-on-critical: true
fail-on-high: true
fail-on-moderate: true
fail-on-legacy: true
fail-on-upgrades: true
```
### I want to scan for every possible problem with only reports...
Easy: ensure `vulnerable`, `deprecated` & `transitives` are `true`, and all the `fail-on-` options are also `false`:
```yaml
- uses: actions/checkout@v6
- name: Run SCA
uses: tonycknight/pkgchk-action@v1
with:
scan-issues: true
scan-upgrades: true
vulnerable: true
deprecated: true
transitives: true
fail-on-critical: false
fail-on-high: false
fail-on-moderate: false
fail-on-legacy: false
fail-on-upgrades: false
```
### I want to put images on the report
Simple: just set URLs to the `pass-img` and `fail-img` parameters, like so:
```yaml
- uses: actions/checkout@v6
- name: Run SCA
uses: tonycknight/pkgchk-action@v1
with:
pass-img: https://media.tenor.com/4h0Z--sGHgsAAAAC/jason-momoa-folding-chair.gif
fail-img: https://i.pinimg.com/474x/b4/74/fe/b474fe41f458a648fcfac0145a4dbd2e.jpg
```
### I have a private nuget repository
[Set up .net](https://github.com/actions/setup-dotnet?tab=readme-ov-file#setting-up-authentication-for-nuget-feeds) before scanning:
```yaml
- uses: actions/checkout@v6
- name: Add nuget source
uses: actions/setup-dotnet@v4
with:
source-url: https://nuget.pkg.github.com//index.json
env:
NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Run SCA
uses: tonycknight/pkgchk-action@v1
```
## Licence
`pkgchk-action` is licenced under MIT.
For `pkgchk-cli` refer to [its own licencing](https://github.com/tonycknight/pkgchk-cli).