diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md index 3a74065bb6..34bab83637 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md @@ -50,11 +50,19 @@ The dependency review feature becomes available when you enable the dependency g {% data reusables.dependency-review.dependency-review-action-beta-note %} -You can use the Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. For more information, see [`dependency-review-action`](https://github.com/actions/dependency-review-action). +The action is available for all public repositories, as well as private repositories that have {% data variables.product.prodname_GH_advanced_security %} enabled. + +You can use the {% data variables.product.prodname_dependency_review_action %} in your repository to enforce dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. For more information, see [`dependency-review-action`](https://github.com/actions/dependency-review-action). ![Dependency review action example](/assets/images/help/graphs/dependency-review-action.png) -The Dependency Review GitHub Action check will fail if it discovers any vulnerable package, but will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)." +The {% data variables.product.prodname_dependency_review_action %} check will fail if it discovers any vulnerable package, but will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)." The action uses the Dependency Review REST API to get the diff of dependency changes between the base commit and head commit. You can use the Dependency Review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "[Dependency review](/rest/reference/dependency-graph#dependency-review)." + +{% ifversion dependency-review-action-configuration %} +You can configure the {% data variables.product.prodname_dependency_review_action %} to better suit your needs. For example, you can specify the severity level that will make the action fail, or set an allow or deny list for licenses. For more information, see "[Configuring dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#configuring-the-dependency-review-github-action)." {% endif %} + +{% endif %} + diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review.md index bf8f34c92f..ba6b71ea98 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review.md @@ -50,3 +50,56 @@ Dependency review is available when dependency graph is enabled for {% data vari ![Screenshot of "Code security and analysis" features"](/assets/images/enterprise/3.2/repository/code-security-and-analysis-enable-ghas-3.2.png){% endif %}{% ifversion ghes > 3.2 %} ![Screenshot of "Code security and analysis" features"](/assets/images/enterprise/3.4/repository/code-security-and-analysis-enable-ghas-3.4.png){% endif %} {% endif %} + +{% ifversion dependency-review-action-configuration %} +## Configuring the {% data variables.product.prodname_dependency_review_action %} + +The {% data variables.product.prodname_dependency_review_action %} scans your pull requests for dependency changes and raises an error if any new dependencies have existing vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions. + +For more information about the action and the API endpoint, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-reinforcement)" and [Dependency review](/rest/dependency-graph/dependency-review) in the API documentation, respectively. + +The available configuration options are described below. + +| Property | Required / optional | Description | +|------------------|-------------------------------|--------| +| `fail_on_severity` | Optional | Specifies the level of severity (`low`, `moderate`, `high`, `critical`) that causes the action to fail. | +| `allow_licenses` | Optional | .| +| `deny_licenses` | Optional | .| + +The {% data variables.product.prodname_dependency_review_action %} file below shows an example of use of these properties. + +```yaml{:copy} +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: Dependency Review + uses: actions/dependency-review-action@main + with: + # Possible values: "critical", "high", "moderate", "low" + fail_on_severity: critical + + # ([String]). Only allow these licenses (optional) + # Possible values: Any value(s) from https://docs.github.com/en/rest/licenses + allow_licenses: + - "GPL 3.0" + - "BSD 3 Clause" + - "MIT" + + # ([String]). Block the pull request on these licenses (optional) + # Possible values: Any value(s) from https://docs.github.com/en/rest/licenses + deny_licenses: + - "LGPL 2.0" + - "BSD 2 Clause" +``` + +For further details about the configuration options, see [`dependency-review-action`](https://github.com/actions/dependency-review-action#readme). +{% endif %} \ No newline at end of file diff --git a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md index baea88ca85..4c990a950e 100644 --- a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md +++ b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md @@ -35,7 +35,7 @@ shortTitle: Review dependency changes Dependency review allows you to "shift left". You can use the provided predictive information to catch vulnerable dependencies before they hit production. For more information, see "[About dependency review](/code-security/supply-chain-security/about-dependency-review)." {% ifversion fpt or ghec or ghes > 3.5 or ghae-issue-6396 %} -You can use the Dependency Review GitHub Action to help enforce dependency reviews on pull requests in your repository. For more information, see "[Dependency review enforcement](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement)." +You can use the {% data variables.product.prodname_dependency_review_action %} to help enforce dependency reviews on pull requests in your repository. For more information, see "[Dependency review enforcement](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement)." {% endif %} ## Reviewing dependencies in a pull request diff --git a/data/features/dependency-review-action-configuration.yml b/data/features/dependency-review-action-configuration.yml new file mode 100644 index 0000000000..557594cb3b --- /dev/null +++ b/data/features/dependency-review-action-configuration.yml @@ -0,0 +1,6 @@ +# Reference: Issue #7061 Configuring the dependency review action - [Public Beta] +versions: + fpt: '*' + ghec: '*' + ghes: '>3.5' + ghae: 'issue-7061' diff --git a/data/reusables/dependency-review/dependency-review-action-beta-note.md b/data/reusables/dependency-review/dependency-review-action-beta-note.md index c227b119b0..23aaae3ec2 100644 --- a/data/reusables/dependency-review/dependency-review-action-beta-note.md +++ b/data/reusables/dependency-review/dependency-review-action-beta-note.md @@ -1,5 +1,5 @@ {% note %} -**Note**: The Dependency Review GitHub Action is currently in public beta and subject to change. +**Note**: The {% data variables.product.prodname_dependency_review_action %} is currently in public beta and subject to change. {% endnote %} \ No newline at end of file diff --git a/data/variables/product.yml b/data/variables/product.yml index 5419530a1c..fbb7471c5a 100644 --- a/data/variables/product.yml +++ b/data/variables/product.yml @@ -181,6 +181,7 @@ prodname_code_scanning_capc: 'Code scanning' prodname_codeql_runner: 'CodeQL runner' prodname_advisory_database: 'GitHub Advisory Database' prodname_codeql_workflow: 'CodeQL analysis workflow' +prodname_dependency_review_action: 'Dependency Review GitHub Action' # Visual Studio prodname_vs: 'Visual Studio'