关于 依赖项审查操作
“依赖项审查操作”指的是可以在 GitHub Actions 上下文中报告拉取请求差异,并在 GitHub Actions 工作流中添加执行机制的具体操作。
依赖项审查操作 扫描拉取请求,查看是否存在依赖项更改,如果有任何新的依赖项存在已知漏洞,则会引发错误。 API 终结点支持此操作,该终结点比较两个修订之间的依赖关系,并报告任何差异。
有关操作和 API 终结点的详细信息,请参阅 dependency-review-action
文档和“适用于依赖项评审的 REST API 终结点”。
组织所有者可以通过在组织中跨存储库强制使用 依赖项审查操作 来大规模推出依赖项审查。 这涉及使用将 依赖项审查操作 设置为所需工作流的存储库规则集,这意味着一旦工作流通过所有必需的检查,只能合并拉取请求。 有关详细信息,请参阅“在整个组织内强制实施依赖项审查”。
下面是常见的配置选项列表。 有关详细信息和选项的完整列表,请参阅 GitHub Marketplace 上的依赖项评审。
选项 | 必选 | 使用情况 |
---|---|---|
fail-on-severity | 定义严重性级别(low 、moderate 、high 、critical )的阈值。对于引入指定严重性级别或更高级别的漏洞的任何拉取请求,该操作都将失败。 | |
allow-licenses | 包含允许的许可证列表。 可以在 API 文档的许可证页中找到此参数可能的值。 如果拉取请求引入许可证与该列表不匹配的依赖项,此操作将会失败。 | |
deny-licenses | 包含禁止的许可证列表。 可以在 API 文档的许可证页中找到此参数可能的值。 如果拉取请求引入许可证与该列表匹配的依赖项,此操作将会失败。 | |
fail-on-scopes | 包含一个字符串列表,这些字符串表示要支持的生成环境(development 、runtime 、unknown )。 如果拉取请求引入与列表匹配的范围内的漏洞,此操作将会失败。 | |
comment-summary-in-pr | 作为拉取请求中的注释启用或禁用审阅摘要报告。 如果启用,则必须向工作流或作业授予 pull-requests: write 权限。 | |
allow-ghsas | 包含可在检测过程中跳过的 GitHub Advisory Database ID 列表。 可以在 GitHub Advisory Database 中找到此参数的可能值。 | |
config-file | 指定配置文件的路径。 配置文件可以在存储库本地,也可以位于外部存储库中。 | |
external-repo-token | 指定用于提取配置文件的令牌(如果该文件位于某个专用外部存储库中)。 该令牌必须具有该存储库的读取访问权限。 |
Tip
allow-licenses
和 deny-licenses
选项互斥。
配置 依赖项审查操作
可通过两种方法配置 依赖项审查操作:
- 在工作流文件中内联配置选项。
- 在工作流文件中引用配置文件。
请注意,所有示例使用操作 (v3
) 的短版本号,而不是 semver 版本号(例如,v3.0.8
)。 这可确保使用操作的最新次要版本。
使用内联配置来设置 依赖项审查操作
-
将新的 YAML 工作流添加到
.github/workflows
文件夹。YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4
name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4
-
指定您的设置。
此 依赖项审查操作 示例文件说明了如何使用可用的配置选项。
YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: GPL-3.0, BSD-3-Clause, MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: LGPL-2.0, BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: development, runtime
name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: GPL-3.0, BSD-3-Clause, MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: LGPL-2.0, BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: development, runtime
使用配置文件来设置 依赖项审查操作
-
将新的 YAML 工作流添加到
.github/workflows
文件夹,并使用config-file
指定正在使用配置文件。YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # ([String]). Representing a path to a configuration file local to the repository or in an external repository. # Possible values: An absolute path to a local file or an external file. config-file: './.github/dependency-review-config.yml' # Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred) # config-file: 'github/octorepo/dependency-review-config.yml@main' # ([Token]) Use if your configuration file resides in a private external repository. # Possible values: Any GitHub token with read access to the private external repository. external-repo-token: 'ghp_123456789abcde'
name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # ([String]). Representing a path to a configuration file local to the repository or in an external repository. # Possible values: An absolute path to a local file or an external file. config-file: './.github/dependency-review-config.yml' # Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred) # config-file: 'github/octorepo/dependency-review-config.yml@main' # ([Token]) Use if your configuration file resides in a private external repository. # Possible values: Any GitHub token with read access to the private external repository. external-repo-token: 'ghp_123456789abcde'
-
在指定路径中创建配置文件。
此 YAML 示例文件说明了如何使用可用的配置选项。
YAML # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: - GPL-3.0 - BSD-3-Clause - MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: - LGPL-2.0 - BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: - GHSA-abcd-1234-5679 - GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: - development - runtime
# Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: - GPL-3.0 - BSD-3-Clause - MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: - LGPL-2.0 - BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: - GHSA-abcd-1234-5679 - GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: - development - runtime
有关配置选项的更多详细信息,请参阅 dependency-review-action
。