Skip to main content
설명서에 자주 업데이트를 게시하며 이 페이지의 번역이 계속 진행 중일 수 있습니다. 최신 정보는 영어 설명서를 참조하세요.
GitHub AE는 현재 제한된 릴리스에 있습니다.

종속성 검토 구성

종속성 검토를 사용하여 프로젝트에 추가되기 전에 취약성을 포착할 수 있습니다.

About dependency review

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request. Dependency review informs you of:

  • Which dependencies were added, removed, or updated, along with the release dates.
  • How many projects use these components.
  • Vulnerability data for these dependencies.

For more information, see "About dependency review" and "Reviewing dependency changes in a pull request."

About configuring the dependency review action

The dependency review action scans your pull requests for dependency changes and raises an error if any new dependencies have known vulnerabilities.

For more information about the action, see the dependency-review-action documentation

The following configuration options are available.

OptionRequiredUsage
fail-on-severityDefines the threshold for level of severity (low, moderate, high, critical).
The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
allow-ghsasContains a list of GitHub Advisory Database IDs that can be skipped during detection. You can find the possible values for this parameter in the GitHub Advisory Database.
config-fileSpecifies a path to a configuration file. The configuration file can be local to the repository or a file located in an external repository.
external-repo-tokenSpecifies a token for fetching the configuration file, if the file resides in a private external repository. The token must have read access to the repository.

Configuring the dependency review action

There are two methods of configuring the dependency review action:

  • Inlining the configuration options in your workflow file.
  • Referencing a configuration file in your workflow file.

Notice that all of the examples use a short version number for the action (v3) instead of a semver release number (for example, v3.0.8). This ensures that you use the most recent minor version of the action.

Using inline configuration to set up the dependency review action

  1. Add a new YAML workflow to your .github/workflows folder.

    YAML
    name: 'Dependency Review'
    on: [pull_request]
    
    permissions:
      contents: read
    
    jobs:
      dependency-review:
       runs-on: ubuntu-latest
         steps:
         - name: 'Checkout Repository'
           uses: actions/checkout@v3
         - name: Dependency Review
           uses: actions/dependency-review-action@v3
  2. Specify your settings.

    This dependency review action example file illustrates how you can use the available configuration options.

    YAML
    name: 'Dependency Review'
    on: [pull_request]
    
    permissions:
      contents: read
    
    jobs:
      dependency-review:
      runs-on: ubuntu-latest
        steps:
        - name: 'Checkout Repository'
          uses: actions/checkout@v3
        - name: Dependency Review
          uses: actions/dependency-review-action@v3
          with:
          # Possible values: "critical", "high", "moderate", "low" 
          fail-on-severity: critical
    
    
            # ([String]). Skip these GitHub Advisory Database IDs during detection (optional)
            # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories
            allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679
    

Using a configuration file to set up dependency review action

  1. Add a new YAML workflow to your .github/workflows folder and use config-file to specify that you are using a configuration file.

    YAML
    name: 'Dependency Review'
    on: [pull_request]
    
    permissions:
     contents: read
    
    jobs:
      dependency-review:
        runs-on: ubuntu-latest
        steps:
        - name: 'Checkout Repository'
          uses: actions/checkout@v3
        - name: Dependency Review
          uses: actions/dependency-review-action@v3
          with:
           # ([String]). Representing a path to a configuration file local to the repository or in an external repository.
           # Possible values: An absolute path to a local file or an external file.
           config-file: './.github/dependency-review-config.yml'   
           # Syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH
           config-file: 'github/octorepo/dependency-review-config.yml@main'
    
           # ([Token]) Use if your configuration file resides in a private external repository.
           # Possible values: Any GitHub token with read access to the private external repository.  
           external-repo-token: 'ghp_123456789abcde'
  2. Create the configuration file in the path you have specified.

    This YAML example file illustrates how you can use the available configuration options.

    YAML
      # Possible values: "critical", "high", "moderate", "low"
      fail-on-severity: critical
    
       # ([String]). Skip these GitHub Advisory Database IDs during detection (optional)
       # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories
      allow-ghsas:
        - GHSA-abcd-1234-5679
        - GHSA-efgh-1234-5679
    

    For further details about the configuration options, see dependency-review-action.