Skip to main content

Esta versión de GitHub Enterprise Server se discontinuó el 2024-09-25. No se realizarán lanzamientos de patch, ni siquiera para problemas de seguridad críticos. Para obtener rendimiento mejorado, seguridad mejorada y nuevas características, actualice a la versión más reciente de GitHub Enterprise Server. Para obtener ayuda con la actualización, póngase en contacto con el soporte técnico de GitHub Enterprise.

Configuración de la acción de revisión de dependencias

Puedes usar la Acción de revisión de dependencias para detectar las vulnerabilidades antes de que se agreguen a tu proyecto.

¿Quién puede utilizar esta característica?

Propietarios de repositorios, propietarios de organizaciones, administradores de seguridad y usuarios con el rol de administrador

About the dependency review action

The "dependency review action" refers to the specific action that can report on differences in a pull request within the GitHub Actions context, and add enforcement mechanisms to the GitHub Actions workflow.

The dependency review action scans your pull requests for dependency changes and raises an error if any new dependencies have known vulnerabilities. The action is supported by an API endpoint that compares the dependencies between two revisions and reports any differences.

For more information about the action and the API endpoint, see the dependency-review-action documentation, and REST API endpoints for dependency review.

Here is a list of common configuration options. For more information, and a full list of options, see Dependency Review on the GitHub Marketplace.

OptionRequiredUsage
fail-on-severityDefines the threshold for level of severity (low, moderate, high, critical).
The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
fail-on-scopesContains a list of strings representing the build environments you want to support (development, runtime, unknown).
The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list.
comment-summary-in-prEnable or disable the reporting of the review summary as a comment in the pull request. If enabled, you must give the workflow or job the pull-requests: write permission.
allow-ghsasContains a list of GitHub Advisory Database IDs that can be skipped during detection. You can find the possible values for this parameter in the GitHub Advisory Database.
config-fileSpecifies a path to a configuration file. The configuration file can be local to the repository or a file located in an external repository.
external-repo-tokenSpecifies a token for fetching the configuration file, if the file resides in a private external repository. The token must have read access to the repository.

Further reading