bulk of the work
This commit is contained in:
mchammer01
@@ -61,7 +61,7 @@ The {% data variables.product.prodname_dependency_review_action %} check will fa
|
|||||||
The action uses the Dependency Review REST API to get the diff of dependency changes between the base commit and head commit. You can use the Dependency Review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "[Dependency review](/rest/reference/dependency-graph#dependency-review)."
|
The action uses the Dependency Review REST API to get the diff of dependency changes between the base commit and head commit. You can use the Dependency Review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "[Dependency review](/rest/reference/dependency-graph#dependency-review)."
|
||||||
|
|
||||||
{% ifversion dependency-review-action-configuration %}
|
{% ifversion dependency-review-action-configuration %}
|
||||||
You can configure the {% data variables.product.prodname_dependency_review_action %} to better suit your needs. For example, you can specify the severity level that will make the action fail, or set an allow or deny list for licenses. For more information, see "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)."
|
You can configure the {% data variables.product.prodname_dependency_review_action %} to better suit your needs. For example, you can specify the severity level that will make the action fail, or set an allow or deny list for licenses to scan. For more information, see "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)."
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
@@ -55,20 +55,17 @@ Dependency review is available when dependency graph is enabled for {% data vari
|
|||||||
## Configuring the {% data variables.product.prodname_dependency_review_action %}
|
## Configuring the {% data variables.product.prodname_dependency_review_action %}
|
||||||
|
|
||||||
{% data reusables.dependency-review.dependency-review-action-beta-note %}
|
{% data reusables.dependency-review.dependency-review-action-beta-note %}
|
||||||
|
{% data reusables.dependency-review.dependency-review-action-overview %}
|
||||||
|
|
||||||
The {% data variables.product.prodname_dependency_review_action %} scans your pull requests for dependency changes and raises an error if any new dependencies have existing vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions.
|
The following configuration options are available.
|
||||||
|
|
||||||
For more information about the action and the API endpoint, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-reinforcement)" and [Dependency review](/rest/dependency-graph/dependency-review) in the API documentation, respectively.
|
| Option | Required | Usage |
|
||||||
|
|
||||||
The available configuration options are described below.
|
|
||||||
|
|
||||||
| Property | Required / optional | Description |
|
|
||||||
|------------------|-------------------------------|--------|
|
|------------------|-------------------------------|--------|
|
||||||
| `fail_on_severity` | Optional | Specifies the level of severity (`low`, `moderate`, `high`, `critical`) that causes the action to fail. |
|
| `fail_on_severity` | Optional | Defines the threshold for level of severity (`low`, `moderate`, `high`, `critical`).</br>The action will fail on pull requests containing vulnerabilities of the specified severity level. |
|
||||||
| `allow_licenses` | Optional | .|
|
| `allow_licenses` | Optional | Contains a list of allowed licenses. You can find the possible values for this parameter in the [Licenses](https://docs.github.com/en/rest/licenses) page of the API documentation.</br>The action will fail on pull requests that introduce dependencies with licenses that do not match the list.|
|
||||||
| `deny_licenses` | Optional | .|
|
| `deny_licenses` | Optional | Contains a list of prohibited licenses. You can find the possible values for this parameter in the [Licenses](https://docs.github.com/en/rest/licenses) page of the API documentation.</br>The action will fail on pull requests that introduce dependencies with licenses that match the list.|
|
||||||
|
|
||||||
The {% data variables.product.prodname_dependency_review_action %} file below shows an example of use of these properties.
|
This {% data variables.product.prodname_dependency_review_action %} example file illustrates how you can use these configuration options.
|
||||||
|
|
||||||
```yaml{:copy}
|
```yaml{:copy}
|
||||||
name: 'Dependency Review'
|
name: 'Dependency Review'
|
||||||
|
|||||||
@@ -35,9 +35,14 @@ shortTitle: Review dependency changes
|
|||||||
Dependency review allows you to "shift left". You can use the provided predictive information to catch vulnerable dependencies before they hit production. For more information, see "[About dependency review](/code-security/supply-chain-security/about-dependency-review)."
|
Dependency review allows you to "shift left". You can use the provided predictive information to catch vulnerable dependencies before they hit production. For more information, see "[About dependency review](/code-security/supply-chain-security/about-dependency-review)."
|
||||||
|
|
||||||
{% ifversion fpt or ghec or ghes > 3.5 or ghae-issue-6396 %}
|
{% ifversion fpt or ghec or ghes > 3.5 or ghae-issue-6396 %}
|
||||||
You can use the {% data variables.product.prodname_dependency_review_action %} to help enforce dependency reviews on pull requests in your repository. For more information, see "[Dependency review enforcement](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement)."
|
|
||||||
|
You can use the {% data variables.product.prodname_dependency_review_action %} to help enforce dependency reviews on pull requests in your repository. {% data reusables.dependency-review.dependency-review-action-overview %}
|
||||||
|
|
||||||
|
{% ifversion dependency-review-action-configuration %}
|
||||||
|
You can configure the {% data variables.product.prodname_dependency_review_action %} to better suit your needs by specifying the type of dependency vulnerability you wish to catch. For more information, see "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)."
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
## Reviewing dependencies in a pull request
|
## Reviewing dependencies in a pull request
|
||||||
|
|
||||||
{% data reusables.repositories.sidebar-pr %}
|
{% data reusables.repositories.sidebar-pr %}
|
||||||
|
|||||||
@@ -0,0 +1,3 @@
|
|||||||
|
The {% data variables.product.prodname_dependency_review_action %} scans your pull requests for dependency changes and raises an error if any new dependencies have existing vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions.
|
||||||
|
|
||||||
|
For more information about the action and the API endpoint, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-reinforcement)," and "[Dependency review](/rest/dependency-graph/dependency-review)" in the API documentation, respectively.
|
||||||
Reference in New Issue
Block a user