-
Notifications
You must be signed in to change notification settings - Fork 47
32 lines (30 loc) · 1.31 KB
/
reusable-dependency-review.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
name: 'Dependency Review'
on:
workflow_call:
inputs:
fail-on-severity:
type: string
description: "Configure the severity level for vulnerability alerting. Possible values: critical, high, moderate, low."
default: "high"
allow-ghsas:
type: string
description: "A comma separated list of any GitHub Advisory IDs that can be skipped during detection. Example: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'"
allow-deps:
type: string
description: "A comma separated list of packages to exclude from the check, specified in purl format"
permissions:
contents: read
jobs:
dependency-review:
name: Scan dependencies for license compliance and vulnerabilities
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: 'Dependency Review'
uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5
with:
fail-on-severity: ${{ inputs.fail-on-severity }}
allow-ghsas: ${{ inputs.allow-ghsas }}
allow-dependencies-licenses: ${{ inputs.allow-deps }}
deny-licenses: GPL-3.0, AGPL-3.0, LGPL-3.0 # these are hardcoded to be compliant with sigstore/community/LICENSING.md