Skip to content

Commit 525855c

Browse files
BoyeepBoyeep
committed
Add dependency review workflow
1 parent 7f60acc commit 525855c

5 files changed

Lines changed: 33 additions & 0 deletions

File tree

.github/dependency-review-config.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
# Keep the initial policy focused on risky dependency changes first.
2+
# If you want stricter license enforcement later, add allow-licenses here.
3+
fail-on-severity: high
4+
fail-on-scopes:
5+
- runtime
6+
- unknown
7+
license-check: true

.github/workflows/dependency-review.yml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
name: Dependency Review
2+
3+
on:
4+
pull_request:
5+
6+
permissions:
7+
contents: read
8+
pull-requests: write
9+
10+
jobs:
11+
dependency-review:
12+
name: Dependency Review
13+
runs-on: ubuntu-latest
14+
steps:
15+
- name: Checkout
16+
uses: actions/checkout@v4
17+
18+
- name: Review dependency changes
19+
uses: actions/dependency-review-action@v4
20+
with:
21+
config-file: ./.github/dependency-review-config.yml

CONTRIBUTING.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,8 @@ For a pre-commit style check on staged content, run:
8787
npm run check:secrets -- --staged
8888
```
8989

90+
Dependency review also runs automatically on pull requests to catch newly introduced vulnerable dependency changes.
91+
9092
## Changing the API Contract
9193

9294
If you modify request or response shapes:

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,8 @@ The root check runs:
120120

121121
CodeQL code scanning also runs on GitHub for `javascript-typescript`, `python`, and workflow files.
122122

123+
Pull requests also run GitHub dependency review so new vulnerable dependency changes are easier to catch before merge.
124+
123125
## Releases
124126

125127
- Release Drafter keeps a draft release updated from merged pull requests on `main` and can auto-label incoming pull requests by path.

SECURITY.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ The repository also uses automated scanning to help catch common security issues
3131

3232
- `gitleaks` in CI for tracked git content
3333
- CodeQL code scanning on GitHub for JavaScript/TypeScript, Python, and workflow files
34+
- GitHub dependency review on pull requests for newly introduced vulnerable dependency changes
3435

3536
Those checks do not replace private disclosure. If you believe a vulnerability is real or
3637
exploitable, please still report it through a private advisory.

0 commit comments

Comments
 (0)