-
Notifications
You must be signed in to change notification settings - Fork 0
55 lines (47 loc) · 1.87 KB
/
dependency-review.yml
File metadata and controls
55 lines (47 loc) · 1.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# =============================================================================
# NFTBan - Dependency Review
# =============================================================================
# SPDX-License-Identifier: MPL-2.0
# Purpose: Review dependencies for security vulnerabilities on pull requests
#
# Runs on:
# - Pull requests to main branch
#
# Outputs:
# - Blocks PRs that introduce high or critical severity vulnerabilities
# - Reports vulnerable dependencies in PR comments
# =============================================================================
name: Dependency Review
on:
pull_request:
branches: [main]
permissions:
contents: read
pull-requests: write
concurrency:
group: dependency-review-${{ github.ref }}
cancel-in-progress: true
jobs:
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Dependency Review
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
with:
fail-on-severity: high
comment-summary-in-pr: always
- name: Generate summary
if: always()
run: |
echo "## Dependency Review Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Dependency Review scans for security vulnerabilities in dependencies:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Blocking Criteria" >> $GITHUB_STEP_SUMMARY
echo "- **High severity** vulnerabilities: Blocked" >> $GITHUB_STEP_SUMMARY
echo "- **Critical severity** vulnerabilities: Blocked" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Review the PR comments for detailed vulnerability information." >> $GITHUB_STEP_SUMMARY