Configuring the dependency review action

About the 依赖项审查操作

The "依赖项审查操作" refers to the specific action that can report on differences in a pull request within the GitHub Actions context, and add enforcement mechanisms to the GitHub Actions workflow.

依赖项审查操作 扫描拉取请求，查看是否存在依赖项更改，如果有任何新的依赖项存在已知漏洞，则会引发错误。 API 终结点支持此操作，该终结点比较两个修订之间的依赖关系，并报告任何差异。

有关操作和 API 终结点的详细信息，请参阅 dependency-review-action 文档和“适用于依赖项评审的 REST API 终结点”。

组织所有者可以通过在组织中跨存储库强制使用 依赖项审查操作 来大规模推出依赖项审查。 这涉及使用将 依赖项审查操作 设置为所需工作流的存储库规则集，这意味着一旦工作流通过所有必需的检查，只能合并拉取请求。 有关详细信息，请参阅“在整个组织内强制实施依赖项审查”。

Here is a list of common configuration options. For more information, and a full list of options, see Dependency Review on the GitHub Marketplace.

Option	Required	Usage
fail-on-severity		Defines the threshold for level of severity (low, moderate, high, critical). The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
allow-licenses		Contains a list of allowed licenses. You can find the possible values for this parameter in the Licenses page of the API documentation. The action will fail on pull requests that introduce dependencies with licenses that do not match the list.
deny-licenses		Contains a list of prohibited licenses. You can find the possible values for this parameter in the Licenses page of the API documentation. The action will fail on pull requests that introduce dependencies with licenses that match the list.
fail-on-scopes		Contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list.
comment-summary-in-pr		Enable or disable the reporting of the review summary as a comment in the pull request. If enabled, you must give the workflow or job the pull-requests: write permission.
allow-ghsas		Contains a list of GitHub Advisory Database IDs that can be skipped during detection. You can find the possible values for this parameter in the GitHub Advisory Database.
config-file		Specifies a path to a configuration file. The configuration file can be local to the repository or a file located in an external repository.
external-repo-token		Specifies a token for fetching the configuration file, if the file resides in a private external repository. The token must have read access to the repository.

Configuring the 依赖项审查操作

There are two methods of configuring the 依赖项审查操作:

• Inlining the configuration options in your workflow file.
• Referencing a configuration file in your workflow file.

Notice that all of the examples use a short version number for the action (v3) instead of a semver release number (for example, v3.0.8). This ensures that you use the most recent minor version of the action.

Using inline configuration to set up the 依赖项审查操作

1. Add a new YAML workflow to your .github/workflows folder.

   YAML

   name: 'Dependency Review'
   on: [pull_request]
   
   permissions:
     contents: read
   
   jobs:
     dependency-review:
       runs-on: ubuntu-latest
       steps:
        - name: 'Checkout Repository'
          uses: actions/checkout@v4
        - name: Dependency Review
          uses: actions/dependency-review-action@v4
   

2. Specify your settings.

   This 依赖项审查操作 example file illustrates how you can use the available configuration options.

   YAML

   name: 'Dependency Review'
   on: [pull_request]
   
   permissions:
     contents: read
   
   jobs:
     dependency-review:
       runs-on: ubuntu-latest
       steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
         with:
           # Possible values: "critical", "high", "moderate", "low"
           fail-on-severity: critical
   
           
           # You can only include one of these two options: `allow-licenses` and `deny-licenses`
           # ([String]). Only allow these licenses (optional)
           # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/
           allow-licenses: GPL-3.0, BSD-3-Clause, MIT
           # ([String]). Block the pull request on these licenses (optional)
           # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/
           deny-licenses: LGPL-2.0, BSD-2-Clause
           
           # ([String]). Skip these GitHub Advisory Database IDs during detection (optional)
           # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories
           allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679
           # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional)
           # Possible values: "development", "runtime", "unknown"
           fail-on-scopes: development, runtime
   

Using a configuration file to set up 依赖项审查操作

1. Add a new YAML workflow to your .github/workflows folder and use config-file to specify that you are using a configuration file.

   YAML

   name: 'Dependency Review'
   on: [pull_request]
   
   permissions:
    contents: read
   
   jobs:
     dependency-review:
       runs-on: ubuntu-latest
       steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
         with:
          # ([String]). Representing a path to a configuration file local to the repository or in an external repository.
          # Possible values: An absolute path to a local file or an external file.
          config-file: './.github/dependency-review-config.yml'
          # Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred)
          # config-file: 'github/octorepo/dependency-review-config.yml@main'
   
          # ([Token]) Use if your configuration file resides in a private external repository.
          # Possible values: Any GitHub token with read access to the private external repository.
          external-repo-token: 'ghp_123456789abcde'
   

2. Create the configuration file in the path you have specified.

   This YAML example file illustrates how you can use the available configuration options.

   YAML

     # Possible values: "critical", "high", "moderate", "low"
     fail-on-severity: critical
   
     # You can only include one of these two options: `allow-licenses` and `deny-licenses`
     # ([String]). Only allow these licenses (optional)
     # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/
     allow-licenses:
       - GPL-3.0
       - BSD-3-Clause
       - MIT
      # ([String]). Block the pull request on these licenses (optional)
      # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/
     deny-licenses:
       - LGPL-2.0
       - BSD-2-Clause
   
      # ([String]). Skip these GitHub Advisory Database IDs during detection (optional)
      # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories
     allow-ghsas:
       - GHSA-abcd-1234-5679
       - GHSA-efgh-1234-5679
      # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional)
      # Possible values: "development", "runtime", "unknown"
     fail-on-scopes:
       - development
       - runtime
   

For further details about the configuration options, see dependency-review-action.

Further reading

• "自定义依赖项评审操作配置"