About the dependency review action
The "dependency review action" refers to the specific action that can report on differences in a pull request within the GitHub Actions context, and add enforcement mechanisms to the GitHub Actions workflow.
The dependency review action scans your pull requests for dependency changes and raises an error if any new dependencies have known vulnerabilities. The action is supported by an API endpoint that compares the dependencies between two revisions and reports any differences.
For more information about the action and the API endpoint, see the dependency-review-action documentation, and "REST API endpoints for dependency review."
Organization owners can roll out dependency review at scale by enforcing the use of the dependency review action across repositories in the organization. This involves the use of repository rulesets for which you'll set the dependency review action as a required workflow, which means that pull requests can only be merged once the workflow passes all the required checks. For more information, see "Enforcing dependency review across an organization."
Here is a list of common configuration options. For more information, and a full list of options, see Dependency Review on the GitHub Marketplace.
| Option | Required | Usage |
|---|---|---|
fail-on-severity | Defines the threshold for level of severity (low, moderate, high, critical).The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | |
fail-on-scopes | Contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | |
comment-summary-in-pr | Enable or disable the reporting of the review summary as a comment in the pull request. If enabled, you must give the workflow or job the pull-requests: write permission. | |
allow-ghsas | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. You can find the possible values for this parameter in the GitHub Advisory Database. | |
config-file | Specifies a path to a configuration file. The configuration file can be local to the repository or a file located in an external repository. | |
external-repo-token | Specifies a token for fetching the configuration file, if the file resides in a private external repository. The token must have read access to the repository. |