About dependency review
Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request. Dependency review informs you of:
- Which dependencies were added, removed, or updated, along with the release dates.
- How many projects use these components.
- Vulnerability data for these dependencies.
For more information, see "About dependency review" and "Reviewing dependency changes in a pull request."
About configuring dependency review
Dependency review is included in GitHub Enterprise Cloud for public repositories. To use dependency review in private repositories owned by organizations, you must have a license for GitHub Advanced Security and have the dependency graph enabled.
Repository administrators can enable or disable the dependency graph for private repositories.
You can also enable or disable the dependency graph for all repositories owned by your user account or organization. For more information, see "Configuring the dependency graph."
-
On GitHub.com, navigate to the main page of the repository.
-
Under your repository name, click Settings.
-
In the "Security" section of the sidebar, click Code security and analysis.
-
Read the message about granting GitHub Enterprise Cloud read-only access to the repository data to enable the dependency graph, then next to "Dependency Graph", click Enable.
You can disable the dependency graph at any time by clicking Disable next to "Dependency Graph" on the settings page for "Code security and analysis." -
If "GitHub Advanced Security" is not enabled, click Enable next to the feature.
Configuring the dependency review action
Note: The dependency review action is currently in public beta and subject to change.
For more information about the action and the API endpoint, see "About dependency review," and "Dependency review" in the API documentation, respectively.
The following configuration options are available.
| Option | Required | Usage |
|---|---|---|
fail-on-severity | Optional | Defines the threshold for level of severity (low, moderate, high, critical).The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. |
allow-licenses | Optional | Contains a list of allowed licenses. You can find the possible values for this parameter in the Licenses page of the API documentation. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. |
deny-licenses | Optional | Contains a list of prohibited licenses. You can find the possible values for this parameter in the Licenses page of the API documentation. The action will fail on pull requests that introduce dependencies with licenses that match the list. |
Tip: The allow-licenses and deny-licenses options are mutually exclusive.
This dependency review action example file illustrates how you can use these configuration options.
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
fail-on-severity: critical
# You can only can only include one of these two options: `allow-licenses` and `deny-licences`
# ([String]). Only allow these licenses (optional)
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
# ([String]). Block the pull request on these licenses (optional)
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# deny-licenses: LGPL-2.0, BSD-2-Clause
For further details about the configuration options, see dependency-review-action.