-
Notifications
You must be signed in to change notification settings - Fork 2
70 lines (67 loc) · 3.33 KB
/
dependency-review.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
name: 'Dependency Review'
on:
pull_request:
paths:
- 'package.json'
- '**/package.json'
- 'Gemfile.lock'
- '**/Gemfile.lock'
- 'Gemfile'
- '**/Gemfile'
- 'Gemfile_next.lock'
- '**/Gemfile_next.lock'
- 'requirements.txt'
- '**/requirements.txt'
- 'build.gradle'
- '**/build.gradle'
- 'Package.resolved'
- '**/Package.resolved'
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3
with:
# Possible values: "critical", "high", "moderate", "low"
fail-on-severity: high
deny-licenses: >
LGPL-2.0, AAL, Adobe-2006, Afmparse, Artistic-1.0,
Artistic-1.0-cl8, Artistic-1.0-Perl, Beerware, blessing, Borceux,
CECILL-B, ClArtistic, Condor-1.1, Crossword, CrystalStacker,
diffmark, DOC, EFL-1.0, EFL-2.0, Fair, FSFUL, FSFULLR, Giftware,
HPND, IJG, Leptonica, LPL-1.0, LPL-1.02, MirOS, mpich2, NASA-1.3,
NBPL-1.0, Newsletr, NLPL, NRL, OGTSL, OLDAP-1.1, OLDAP-1.2,
OLDAP-1.3, OLDAP-1.4, psutils, Qhull, Rdisc, RSA-MD, Spencer-86,
Spencer-94, TU-Berlin-1.0, TU-Berlin-2.0, Vim, W3C-19980720,
W3C-20150513, Wsuipa, WTFPL, xinetd, Zed, Zend-2.0, ZPL-1.1,
AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later,
APSL-1.0, APSL-1.1, APSL-1.2, APSL-2.0, CPAL-1.0, EUPL-1.0,
EUPL-1.1, EUPL-1.2, NPOSL-3.0, OSL-1.0, OSL-1.1, OSL-2.0, OSL-2.1,
OSL-3.0, RPSL-1.0, SSPL-1.0, CAL-1.0,
CAL-1.0-Combined-Work-Exception, Parity-6.0.0, Parity-7.0.0,
RPL-1.1, RPL-1.5, EPL-1.0, EPL-2.0, ErlPL-1.1, IPL-1.0,
LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later,
LGPL-2.1, LGPL-3.0-only, LGPL-3.0-or-later, LGPL-3.0, MPL-1.0,
MPL-1.1, MPL-2.0, MPL-2.0-no-copyleft-exception, MS-RL, SPL-1.0,
BSD-Protection, copyleft-next-0.3.0, copyleft-next-0.3.1,
GPL-1.0-only, GPL-1.0-or-later, GPL-1.0, GPL-2.0-only,
GPL-2.0-or-later, GPL-2.0, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0,
QPL-1.0, Sleepycat
comment-summary-in-pr: true
# ([String]). Block the pull request on these licenses (optional)
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# ([String]). Skip these GitHub Advisory Database IDs during detection (optional)
# Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories
#allow-ghsas: