Skip to main content
Free, Pro, & Team
English
Sign up
 
Code security
Free, Pro, & Team
English
Sign up

 

Configuring dependency review

In this article

You can use dependency review to catch vulnerabilities before they are added to your project.

About dependency review

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request. Dependency review informs you of:

  • Which dependencies were added, removed, or updated, along with the release dates.
  • How many projects use these components.
  • Vulnerability data for these dependencies.

For more information, see "About dependency review" and "Reviewing dependency changes in a pull request."

About configuring dependency review

Dependency review is available in all public repositories in all products and cannot be disabled. Dependency review is available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see the GitHub Enterprise Cloud documentation.

Configuring the Dependency Review GitHub Action

Note: The Dependency Review GitHub Action is currently in public beta and subject to change.

The Dependency Review GitHub Action scans your pull requests for dependency changes and raises an error if any new dependencies have known vulnerabilities. The action is supported by an API endpoint that compares the dependencies between two revisions and reports any differences.

For more information about the action and the API endpoint, see "About dependency review," and "Dependency review" in the API documentation, respectively.

The following configuration options are available.

OptionRequiredUsage
fail-on-severityOptionalDefines the threshold for level of severity (low, moderate, high, critical).
The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
allow-licensesOptionalContains a list of allowed licenses. You can find the possible values for this parameter in the Licenses page of the API documentation.
The action will fail on pull requests that introduce dependencies with licenses that do not match the list.
deny-licensesOptionalContains a list of prohibited licenses. You can find the possible values for this parameter in the Licenses page of the API documentation.
The action will fail on pull requests that introduce dependencies with licenses that match the list.

Tip: The allow-licenses and deny-licenses options are mutually exclusive.

This Dependency Review GitHub Action example file illustrates how you can use these configuration options.

YAML
name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: Dependency Review
        uses: actions/dependency-review-action@v2
        with:
          # Possible values: "critical", "high", "moderate", "low" 
          fail-on-severity: critical
          # You can only can only include one of these two options: `allow-licenses` and `deny-licences`
          # ([String]). Only allow these licenses (optional)
          # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses 
          # allow-licenses: GPL-3.0, BSD-3-Clause, MIT

          # ([String]). Block the pull request on these licenses (optional)
          # Possible values: Any  `spdx_id` value(s) from https://docs.github.com/en/rest/licenses 
          # deny-licenses: LGPL-2.0, BSD-2-Clause

For further details about the configuration options, see dependency-review-action.