https://github.com/zkoppert/dependency-review-action

https://github.com/zkoppert/dependency-review-action

Last synced: 14 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/zkoppert/dependency-review-action
• Owner: zkoppert
• License: mit
• Created: 2022-03-16T16:02:52.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2022-03-16T18:48:37.000Z (almost 3 years ago)
• Last Synced: 2024-11-17T06:04:54.882Z (about 1 month ago)
• Size: 1.19 MB
• Stars: 1
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Dependency Review Action

This Action scans for vulnerable versions of dependencies introduced

by package version changes in Pull Requests, and warns you about the

associated security vulnerabilities.

The Action makes an authenticated query to the Dependency Graph Diff

API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)

to find out the set of added and removed vulnerabilities for each dependency.

## Usage

1. Create a new [Personal Access Token

   (PAT)](https://github.com/settings/tokens) with the `repo` permissions. Copy this for use in step 2

2. Create a new Actions Secret on your repo at `https://github.com///settings/secrets/actions`

3. Name it `REPO_TOKEN` and set its value to the previously generated PAT from step 1

4. Add a new YAML workflow to your `.github/workflows` folder:

```yaml

name: 'Dependency Review'

on: [pull_request]

jobs:

  dependency-review:

    runs-on: ubuntu-latest

    steps:

      - name: 'Checkout Repository'

        uses: actions/checkout@v3

      - name: 'Dependency Review'

        uses: dsp-testing/dependency-review-action@main

        with:

          repo-token: ${{ secrets.REPO_TOKEN }}

```

## Rough Edges

The DR workflow will execute when ever a Pull Request on the target

repo receives a push. Upon install, the Action will not execute

automatically on existing in-flight PRs until they receive a push.

Once installed, any changes to DR-eligible manifest files in a PR that

_do not address existing vulnerable dependencies declared there_ will

cause this Action to fail CI. This is slated to be addressed during

the staff ship, and should not effect your ability to merge such PRs.

If you encounter undue friction and need assistance, contact the DR

maintainers using the methods outlined in the staff ship annoucement,

or in Slack at `#dependency-graph`.

_Note_: We are using the `@main` release since this is still under

active development. Once we're ready to ship to production we'll

change this to a proper version number.

## Bugs and Suggestions

Please file a new issue if you encounter a bug, or if this is behaving

in an unexpected way. You can also find us in Slack in the

#dependency-graph channel.

## Local Development

This will get you running the Action locally for stubbed development:

```sh

$ GITHUB_TOKEN= ./scripts/dev /

```

## Releases

Don't forget to package your code when doing a new release!

```

$ npm run build && npm run package

```