Dependency Review¶
Add Security Checks
Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request. Dependency review informs you of:
- Which dependencies were added, removed, or updated, along with the release dates.
- How many projects use these components.
- Vulnerability data for these dependencies.
Exercise: Automate Enforcement of Dependency Review¶
Understand the Dependency Review Configurations¶
fail-on-severity: moderate #(1)!
comment-summary-in-pr: always #(2)!
allow-licenses: #(3)!
- MIT
- GPL-3.0
- BSD-3-Clause
deny-licenses: #(4)!
- LGPL-2.0
- BSD-2-Clause
allow-ghsas: #(5)!
- GHSA-abcd-1234-5679
- GHSA-efgh-1234-5679
fail-on-scopes: #(6)!
- development
- runtime
- unknown
- Possible values: "critical", "high", "moderate", "low"
- Post summary as a comment to respective pull request
- Only allow the listed licenses (optional). Possible values: Any
spdx_id
value(s) from https://docs.github.com/en/rest/licenses -
Block the pull request on these licenses (optional). Possible values: Any
spdx_id
value(s) from https://docs.github.com/en/rest/licensesYou can only include one of either of these two options:
allow-licenses
anddeny-licenses
. -
Skip these GitHub Advisory Database IDs during detection (optional). Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories
- Block pull requests that introduce vulnerabilities in the scopes that match this list (optional). Possible values: "development", "runtime", "unknown"
Implement Dependency Review Check¶
Open the .github/workflows/continuous.integration.yml
file in the editor and add the highlighted content as follows:
Commit and publish your changes¶
Pushing your changes will apply the check on the existing pull request.
You can link your changes to an issue
Recall the issue you created earlier and its respective issue number, you will use it to link your current changes to the issue.
When you navigate to the repository on GitHub and open the existing pull request, you can confirm that the check was executed. As there are no compliance violations currently in the PR, the check is successful.
Homework
Can you attempt to make the dependency review check to fail?