Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/tonycknight/pkgchk-action
A Github action to run .net package dependency checks, and display results in a Github pull request.
https://github.com/tonycknight/pkgchk-action
ci dotnet nuget sca
Last synced: 4 months ago
JSON representation
A Github action to run .net package dependency checks, and display results in a Github pull request.
- Host: GitHub
- URL: https://github.com/tonycknight/pkgchk-action
- Owner: tonycknight
- License: mit
- Created: 2024-01-28T13:47:54.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2024-06-13T18:41:47.000Z (8 months ago)
- Last Synced: 2024-10-01T04:01:12.481Z (4 months ago)
- Topics: ci, dotnet, nuget, sca
- Language: PowerShell
- Homepage:
- Size: 169 KB
- Stars: 3
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# pkgchk-action
A Github action to perform .Net package dependency checks & PRs.
## How to use
Your repository `Workflow permissions` settings should give `Read and write permissions` to the `GITHUB_TOKEN`.
Once done, simply include the action in your workflow like so:
```yaml
- uses: actions/checkout@v4
- name: Run SCA
uses: tonycknight/[email protected]
```
Use the step in your PR checks, or in your regular build workflow checks:
:warning: This action only works with .Net SDK 7.0.200 or higher. Check your `global.json` and other settings to avoid incompatibilities.
## What the options mean
The main options you'll need to provide are below. Most options have defaults applied, giving scans for high to critical vulnerabilities.
| The option | What's it for? | What's the default? |
| - | - | - |
| `project-path` | The relative path to the solution or project | The solution file in the working directory. |
| `deprecated` | Include deprecated packages in the scan | `false` |
| `vulnerable` | Include vulnerable packages in the scan | `true` |
| `transitives` | Include transitive packages in the scan | `true` |
| `fail-on-critical` | Fail scans if critical severity vulnerabilities or deprecation reasons are found | `true` |
| `fail-on-high` | Fail scans if high severity vulnerabilities are found | `true` |
| `fail-on-moderate` | Fail scans if moderate severity vulnerabilities are found | `false` |
| `fail-on-legacy` | Fail scans if packages are found to be deprecated for legacy reasons | `false` |
| `pass-img` | URI of a report image for successful scans | |
| `fail-img` | URI of a report image for failed scans | |
Some options are available to control the action's credentials, tracing, etc. You shouldn't need to use this in most cases.
| The option | What's it for? | What's the default? |
| - | - | - |
| `github-token` | A github token to push reports to PRs | `github.token` |
| `repo` | The repository name in `owner/repo` form | `github.repository` |
| `github-title` | The title to give to the PR report | `Package vulnerabilities` |
| `prid` | The pull request ID | `github.event.number` |
| `commit-hash` | The Github commit hash | `github.sha` |
| `trace` | Output trace logging to the console | `false` |
## Some examples
### What's the minimum I need?
You'll need to first `checkout` the repository. The default options will scan for High and Critical vulnerabilities.
```yaml
- uses: actions/checkout@v4
- name: Run SCA
uses: tonycknight/[email protected]
```
### I want to scan a specific project
```yaml
- uses: actions/checkout@v4
- name: Run SCA
uses: tonycknight/[email protected]
with:
project-path: src/testproj.csproj
```
### I want to scan for every possible problem
Easy: ensure `vulnerable`, `deprecated` & `transitives` are `true`, and all the `fail-on-` options are also `true`:
```yaml
- uses: actions/checkout@v4
- name: Run SCA
uses: tonycknight/[email protected]
with:
vulnerable: true
deprecated: true
transitives: true
fail-on-critical: true
fail-on-high: true
fail-on-moderate: true
fail-on-legacy: true
```
### I want to put images on the report
Simple: just set URLs to the `pass-img` and `fail-img` parameters, like so:
```yaml
- uses: actions/checkout@v4
- name: Run SCA
uses: tonycknight/[email protected]
with:
pass-img: https://media.tenor.com/4h0Z--sGHgsAAAAC/jason-momoa-folding-chair.gif
fail-img: https://i.pinimg.com/474x/b4/74/fe/b474fe41f458a648fcfac0145a4dbd2e.jpg
```
## Licence
`pkgchk-action` is licenced under MIT.
This action uses a Docker image from [pkgchk-cli](https://github.com/tonycknight/pkgchk-cli).
For `pkgchk-cli` refer to [its own licencing](https://github.com/tonycknight/pkgchk-cli).