|
| 1 | +--- |
| 2 | +title: Customizing your dependency review action configuration |
| 3 | +intro: 'Learn how to add a basic customization to your dependency review configuration.' |
| 4 | +product: '{% data reusables.gated-features.dependency-review-action %}' |
| 5 | +versions: |
| 6 | + fpt: '*' |
| 7 | + ghes: '*' |
| 8 | + ghec: '*' |
| 9 | +type: tutorial |
| 10 | +topics: |
| 11 | + - Dependency graph |
| 12 | + - Dependencies |
| 13 | + - Repositories |
| 14 | +shortTitle: Customize dependency review |
| 15 | +--- |
| 16 | + |
| 17 | +## Introduction |
| 18 | + |
| 19 | +The {% data variables.dependency-review.action_name %} scans your pull requests for dependency changes and raises an error if any new dependencies have known vulnerabilities. Once installed, if the workflow run is marked as required, pull requests introducing known vulnerable packages will be blocked from merging. |
| 20 | + |
| 21 | +This guide shows you how to add three very common customizations: failing builds based on vulnerability severity level, dependency license, and scope. |
| 22 | + |
| 23 | +### Prerequisites |
| 24 | + |
| 25 | +This guide assumes that: |
| 26 | + |
| 27 | +* Dependency graph is enabled for the repository.{% ifversion fpt or ghec %} Dependency graph is enabled by default for public repositories and you can choose to enable it for private repositories.{% endif %} For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository)". |
| 28 | +* {% data variables.product.prodname_actions %} is enabled for the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)". |
| 29 | + |
| 30 | +## Step 1: Adding the dependency review action |
| 31 | + |
| 32 | +In this step, we'll add the dependency review workflow to your repository. |
| 33 | + |
| 34 | +{% data reusables.repositories.navigate-to-repo %} |
| 35 | +{% data reusables.repositories.actions-tab %} |
| 36 | +1. Under "Get started with {% data variables.product.prodname_actions %}", find the "Security" category, then click **View all**. |
| 37 | +1. Find "Dependency review", then click **Configure**. Alternatively, search for "Dependency review" using the search bar. |
| 38 | +1. This will open dependency review’s {% data variables.product.prodname_actions %} workflow file, `dependency-review.yml`. It should contain the following: |
| 39 | + |
| 40 | + ```yaml copy |
| 41 | + name: 'Dependency review' |
| 42 | + on: |
| 43 | + pull_request: |
| 44 | + branches: [ "main" ] |
| 45 | + |
| 46 | + permissions: |
| 47 | + contents: read |
| 48 | + |
| 49 | + jobs: |
| 50 | + dependency-review: |
| 51 | + runs-on: ubuntu-latest |
| 52 | + steps: |
| 53 | + - name: 'Checkout repository' |
| 54 | + uses: {% data reusables.actions.action-checkout %} |
| 55 | + - name: 'Dependency Review' |
| 56 | + uses: actions/dependency-review-action@v4 |
| 57 | + ``` |
| 58 | +
|
| 59 | +## Step 2: Changing the severity |
| 60 | +
|
| 61 | +You can block code containing vulnerable dependencies from ever being merged by setting the {% data variables.dependency-review.action_name %} to required. However, it's worth noting that blocking low-risk vulnerabilities may be too restrictive in some circumstances. In this step, we will change the severity of vulnerability that will cause a build to fail with the `fail-on-severity` option. |
| 62 | + |
| 63 | +1. Add the `fail-on-severity` option to the end of the `dependency-review.yml` file: |
| 64 | + |
| 65 | + ```yaml copy |
| 66 | + - name: 'Dependency Review' |
| 67 | + uses: actions/dependency-review-action@v4 |
| 68 | + with: |
| 69 | + fail-on-severity: moderate |
| 70 | + ``` |
| 71 | + |
| 72 | +## Step 3: Adding licenses to block |
| 73 | + |
| 74 | +Vulnerabilities aren’t the only reason you might want to block a dependency. If your organization has restrictions on what sorts of licenses you can use, you can use dependency review to enforce those policies with the `deny-licenses` option. In this step, we will add a customization that will break the build if the pull request introduces a dependency that contains the LGPL-2.0 or BSD-2-Clause license. |
| 75 | + |
| 76 | +1. Add the `deny-licenses` option to the end of the `dependency-review.yml` file: |
| 77 | + |
| 78 | + ```yaml copy |
| 79 | + - name: 'Dependency Review' |
| 80 | + uses: actions/dependency-review-action@v4 |
| 81 | + with: |
| 82 | + fail-on-severity: moderate |
| 83 | + deny-licenses: LGPL-2.0, BSD-2-Clause |
| 84 | + ``` |
| 85 | + |
| 86 | +## Step 4: Adding scopes |
| 87 | + |
| 88 | +Finally, we'll use the `fail-on-scopes` option to prevent merging vulnerable dependencies to specific deployment environments, in this case the development environment. |
| 89 | + |
| 90 | +1. Add the `fail-on-scopes` option to the end of the `dependency-review.yml` file: |
| 91 | + |
| 92 | + ```yaml copy |
| 93 | + - name: 'Dependency Review' |
| 94 | + uses: actions/dependency-review-action@v4 |
| 95 | + with: |
| 96 | + fail-on-severity: moderate |
| 97 | + deny-licenses: LGPL-2.0, BSD-2-Clause |
| 98 | + fail-on-scopes: development |
| 99 | + ``` |
| 100 | + |
| 101 | +## Step 5: Check the configuration |
| 102 | + |
| 103 | +The `dependency-review.yml` file should now look like this: |
| 104 | + |
| 105 | +```yaml copy |
| 106 | +
|
| 107 | +name: 'Dependency Review' |
| 108 | +on: [pull_request] |
| 109 | +
|
| 110 | +
|
| 111 | +
|
| 112 | +permissions: |
| 113 | + contents: read |
| 114 | +
|
| 115 | +
|
| 116 | +
|
| 117 | +jobs: |
| 118 | + dependency-review: |
| 119 | + runs-on: ubuntu-latest |
| 120 | + steps: |
| 121 | + - name: 'Checkout Repository' |
| 122 | + uses: {% data reusables.actions.action-checkout %} |
| 123 | + - name: Dependency Review |
| 124 | + uses: actions/dependency-review-action@v4 |
| 125 | + with: |
| 126 | + fail-on-severity: moderate |
| 127 | + deny-licenses: LGPL-2.0, BSD-2-Clause |
| 128 | + fail-on-scopes: development |
| 129 | +``` |
| 130 | + |
| 131 | +You can use this configuration as a template for your own custom configurations. |
| 132 | + |
| 133 | +For more information on all the possible customization options, see the [README](https://github.com/actions/dependency-review-action/blob/main/README.md#configuration) in the dependency review action documentation. |
| 134 | + |
| 135 | +## Best practices |
| 136 | + |
| 137 | +When customizing your dependency review configuration, there are some best practices you can follow: |
| 138 | + |
| 139 | +* Choose block lists over allow lists. It is more practical to compile a list of the "really bad" dependencies you want to block than to create an inclusive list of all the libraries you want to allow. |
| 140 | + |
| 141 | +* Choose to block licenses instead of specifying which licenses to allow. There are a wide variety of licenses out there, so it's usually more practical to exclude those you know are incompatible with current licenses than it is to compile a complete list of compatible licenses. |
| 142 | + |
| 143 | +* Choose `fail-on-severity`. Failing based on the severity of a vulnerability is a good way to balance the need for security with the need to create low-friction experiences for developers. |
| 144 | + |
| 145 | +## Further reading |
| 146 | + |
| 147 | +* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#about-configuring-the-dependency-review-action)"{% ifversion repo-rules %} |
| 148 | +* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization)"{% endif %} |
0 commit comments