jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-23 11:54:18 -05:00
Code Issues Projects Releases Wiki Activity

bulk of the work

Browse Source
This commit is contained in:
mchammer01
2022-06-09 14:34:10 +01:00
parent 2006a4d278
commit b1dd04b968
4 changed files with 17 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md
View File

@@ -61,7 +61,7 @@ The {% data variables.product.prodname_dependency_review_action %} check will fa
The action uses the Dependency Review REST API to get the diff of dependency changes between the base commit and head commit. You can use the Dependency Review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "[Dependency review](/rest/reference/dependency-graph#dependency-review)."
{% ifversion dependency-review-action-configuration %}
You can configure the {% data variables.product.prodname_dependency_review_action %} to better suit your needs. For example, you can specify the severity level that will make the action fail, or set an allow or deny list for licenses. For more information, see "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)."
You can configure the {% data variables.product.prodname_dependency_review_action %} to better suit your needs. For example, you can specify the severity level that will make the action fail, or set an allow or deny list for licenses to scan. For more information, see "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)."
{% endif %}
{% endif %}

17
content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review.md
View File

@@ -55,20 +55,17 @@ Dependency review is available when dependency graph is enabled for {% data vari
## Configuring the {% data variables.product.prodname_dependency_review_action %}
{% data reusables.dependency-review.dependency-review-action-beta-note %}
{% data reusables.dependency-review.dependency-review-action-overview %}
The {% data variables.product.prodname_dependency_review_action %} scans your pull requests for dependency changes and raises an error if any new dependencies have existing vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions.
The following configuration options are available.
For more information about the action and the API endpoint, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-reinforcement)" and [Dependency review](/rest/dependency-graph/dependency-review) in the API documentation, respectively.
The available configuration options are described below.
| Property | Required / optional | Description |
| Option | Required | Usage |
|------------------|-------------------------------|--------|
| `fail_on_severity` | Optional | Specifies the level of severity (`low`, `moderate`, `high`, `critical`) that causes the action to fail. |
| `allow_licenses` | Optional | .|
| `deny_licenses` | Optional | .|
| `fail_on_severity` | Optional | Defines the threshold for level of severity (`low`, `moderate`, `high`, `critical`).</br>The action will fail on pull requests containing vulnerabilities of the specified severity level. |
| `allow_licenses` | Optional | Contains a list of allowed licenses. You can find the possible values for this parameter in the [Licenses](https://docs.github.com/en/rest/licenses) page of the API documentation.</br>The action will fail on pull requests that introduce dependencies with licenses that do not match the list.|
| `deny_licenses` | Optional | Contains a list of prohibited licenses. You can find the possible values for this parameter in the [Licenses](https://docs.github.com/en/rest/licenses) page of the API documentation.</br>The action will fail on pull requests that introduce dependencies with licenses that match the list.|
The {% data variables.product.prodname_dependency_review_action %} file below shows an example of use of these properties.
This {% data variables.product.prodname_dependency_review_action %} example file illustrates how you can use these configuration options.
```yaml{:copy}
name: 'Dependency Review'

7
content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md
View File

@@ -35,9 +35,14 @@ shortTitle: Review dependency changes
Dependency review allows you to "shift left". You can use the provided predictive information to catch vulnerable dependencies before they hit production. For more information, see "[About dependency review](/code-security/supply-chain-security/about-dependency-review)."
{% ifversion fpt or ghec or ghes > 3.5 or ghae-issue-6396 %}
You can use the {% data variables.product.prodname_dependency_review_action %} to help enforce dependency reviews on pull requests in your repository. For more information, see "[Dependency review enforcement](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement)."
You can use the {% data variables.product.prodname_dependency_review_action %} to help enforce dependency reviews on pull requests in your repository. {% data reusables.dependency-review.dependency-review-action-overview %}
{% ifversion dependency-review-action-configuration %}
You can configure the {% data variables.product.prodname_dependency_review_action %} to better suit your needs by specifying the type of dependency vulnerability you wish to catch. For more information, see "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)."
{% endif %}
{% endif %}
## Reviewing dependencies in a pull request
{% data reusables.repositories.sidebar-pr %}

3
data/reusables/dependency-review/dependency-review-action-overview.md Normal file
View File

@@ -0,0 +1,3 @@
The {% data variables.product.prodname_dependency_review_action %} scans your pull requests for dependency changes and raises an error if any new dependencies have existing vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions.
For more information about the action and the API endpoint, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-reinforcement)," and "[Dependency review](/rest/dependency-graph/dependency-review)" in the API documentation, respectively.