Configuring the dependency review action

About the 종속성 검토 작업

The "종속성 검토 작업" refers to the specific action that can report on differences in a pull request within the GitHub Actions context, and add enforcement mechanisms to the GitHub Actions workflow.

종속성 검토 작업은 종속성 변경에 대한 pull request를 검색하고 새로운 종속성에 알려진 약점이 있는 경우 오류를 발생시킵니다. 이 작업은 두 수정 버전 간의 종속성을 비교하고 차이점을 보고하는 API 엔드포인트에서 지원됩니다.

작업 및 API 엔드포인트에 대한 자세한 내용은 dependency-review-action 설명서와 "종속성 검토에 대한 REST API 엔드포인트" 항목을 참조하세요.

조직 소유자는 조직의 리포지토리에서 종속성 검토 작업을(를) 사용하도록 적용하여 대규모로 종속성 검토를 롤아웃할 수 있습니다. 여기에는 종속성 검토 작업을(를) 필수 워크플로로 설정하는 리포지토리 규칙 집합이 포함됩니다. 즉, 워크플로가 모든 필수 검사를 통과한 후에만 끌어오기 요청을 병합할 수 있습니다. 자세한 정보는 "조직 전체에서 종속성 검토 적용"을(를) 참조하세요.

Here is a list of common configuration options. For more information, and a full list of options, see Dependency Review on the GitHub Marketplace.

Option	Required	Usage
fail-on-severity		Defines the threshold for level of severity (low, moderate, high, critical). The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
allow-licenses		Contains a list of allowed licenses. You can find the possible values for this parameter in the Licenses page of the API documentation. The action will fail on pull requests that introduce dependencies with licenses that do not match the list.
deny-licenses		Contains a list of prohibited licenses. You can find the possible values for this parameter in the Licenses page of the API documentation. The action will fail on pull requests that introduce dependencies with licenses that match the list.
fail-on-scopes		Contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list.
comment-summary-in-pr		Enable or disable the reporting of the review summary as a comment in the pull request. If enabled, you must give the workflow or job the pull-requests: write permission.
allow-ghsas		Contains a list of GitHub Advisory Database IDs that can be skipped during detection. You can find the possible values for this parameter in the GitHub Advisory Database.
config-file		Specifies a path to a configuration file. The configuration file can be local to the repository or a file located in an external repository.
external-repo-token		Specifies a token for fetching the configuration file, if the file resides in a private external repository. The token must have read access to the repository.

Configuring the 종속성 검토 작업

There are two methods of configuring the 종속성 검토 작업:

• Inlining the configuration options in your workflow file.
• Referencing a configuration file in your workflow file.

Notice that all of the examples use a short version number for the action (v3) instead of a semver release number (for example, v3.0.8). This ensures that you use the most recent minor version of the action.

Using inline configuration to set up the 종속성 검토 작업

1. Add a new YAML workflow to your .github/workflows folder.

   YAML

   name: 'Dependency Review'
   on: [pull_request]
   
   permissions:
     contents: read
   
   jobs:
     dependency-review:
       runs-on: ubuntu-latest
       steps:
        - name: 'Checkout Repository'
          uses: actions/checkout@v4
        - name: Dependency Review
          uses: actions/dependency-review-action@v4
   

2. Specify your settings.

   This 종속성 검토 작업 example file illustrates how you can use the available configuration options.

   YAML

   name: 'Dependency Review'
   on: [pull_request]
   
   permissions:
     contents: read
   
   jobs:
     dependency-review:
       runs-on: ubuntu-latest
       steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
         with:
           # Possible values: "critical", "high", "moderate", "low"
           fail-on-severity: critical
   
           
           # You can only include one of these two options: `allow-licenses` and `deny-licenses`
           # ([String]). Only allow these licenses (optional)
           # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/
           allow-licenses: GPL-3.0, BSD-3-Clause, MIT
           # ([String]). Block the pull request on these licenses (optional)
           # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/
           deny-licenses: LGPL-2.0, BSD-2-Clause
           
           # ([String]). Skip these GitHub Advisory Database IDs during detection (optional)
           # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories
           allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679
           # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional)
           # Possible values: "development", "runtime", "unknown"
           fail-on-scopes: development, runtime
   

Using a configuration file to set up 종속성 검토 작업

1. Add a new YAML workflow to your .github/workflows folder and use config-file to specify that you are using a configuration file.

   YAML

   name: 'Dependency Review'
   on: [pull_request]
   
   permissions:
    contents: read
   
   jobs:
     dependency-review:
       runs-on: ubuntu-latest
       steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
         with:
          # ([String]). Representing a path to a configuration file local to the repository or in an external repository.
          # Possible values: An absolute path to a local file or an external file.
          config-file: './.github/dependency-review-config.yml'
          # Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred)
          # config-file: 'github/octorepo/dependency-review-config.yml@main'
   
          # ([Token]) Use if your configuration file resides in a private external repository.
          # Possible values: Any GitHub token with read access to the private external repository.
          external-repo-token: 'ghp_123456789abcde'
   

2. Create the configuration file in the path you have specified.

   This YAML example file illustrates how you can use the available configuration options.

   YAML

     # Possible values: "critical", "high", "moderate", "low"
     fail-on-severity: critical
   
     # You can only include one of these two options: `allow-licenses` and `deny-licenses`
     # ([String]). Only allow these licenses (optional)
     # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/
     allow-licenses:
       - GPL-3.0
       - BSD-3-Clause
       - MIT
      # ([String]). Block the pull request on these licenses (optional)
      # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/
     deny-licenses:
       - LGPL-2.0
       - BSD-2-Clause
   
      # ([String]). Skip these GitHub Advisory Database IDs during detection (optional)
      # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories
     allow-ghsas:
       - GHSA-abcd-1234-5679
       - GHSA-efgh-1234-5679
      # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional)
      # Possible values: "development", "runtime", "unknown"
     fail-on-scopes:
       - development
       - runtime
   

For further details about the configuration options, see dependency-review-action.

Further reading

• "종속성 검토 작업 구성 사용자 지정"