Skip to main content

This version of GitHub Enterprise Server was discontinued on 2024-09-25. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

Configuring the dependency review action

You can use the dependency review action to catch vulnerabilities before they are added to your project.

Who can use this feature?

Repository owners, organization owners, security managers, and users with the admin role

About the dependency review action

The "dependency review action" refers to the specific action that can report on differences in a pull request within the GitHub Actions context, and add enforcement mechanisms to the GitHub Actions workflow.

The dependency review action scans your pull requests for dependency changes and raises an error if any new dependencies have known vulnerabilities. The action is supported by an API endpoint that compares the dependencies between two revisions and reports any differences.

For more information about the action and the API endpoint, see the dependency-review-action documentation, and REST API endpoints for dependency review.

Here is a list of common configuration options. For more information, and a full list of options, see Dependency Review on the GitHub Marketplace.

OptionRequiredUsage
fail-on-severityDefines the threshold for level of severity (low, moderate, high, critical).
The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
fail-on-scopesContains a list of strings representing the build environments you want to support (development, runtime, unknown).
The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list.
comment-summary-in-prEnable or disable the reporting of the review summary as a comment in the pull request. If enabled, you must give the workflow or job the pull-requests: write permission.
allow-ghsasContains a list of GitHub Advisory Database IDs that can be skipped during detection. You can find the possible values for this parameter in the GitHub Advisory Database.
config-fileSpecifies a path to a configuration file. The configuration file can be local to the repository or a file located in an external repository.
external-repo-tokenSpecifies a token for fetching the configuration file, if the file resides in a private external repository. The token must have read access to the repository.

Further reading