This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an API endpoint that diffs the dependencies between any two revisions.
The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.
- Add a new YAML workflow to your
.github/workflowsfolder:
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1If you have bug reports, questions or suggestions please create a new issue.
We are grateful for any contributions made to this project.
Please read CONTRIBUTING.MD to get started.
This project is released under the MIT License.