Skip to content

๐Ÿงช Dependency Review

Add Security Checks

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request. Dependency review informs you of:

  • Which dependencies were added, removed, or updated, along with the release dates.
  • How many projects use these components.
  • Vulnerability data for these dependencies.

Review dependency


Exercise: Automate Enforcement of Dependency Review


Understand the Dependency Review Configurations

.github/dependency-review-config.yml
fail-on-severity: moderate #(1)!

comment-summary-in-pr: always #(2)!

allow-licenses: #(3)!
  - MIT
  - GPL-3.0
  - BSD-3-Clause

deny-licenses: #(4)!
  - LGPL-2.0
  - BSD-2-Clause

allow-ghsas: #(5)!
  - GHSA-abcd-1234-5679
  - GHSA-efgh-1234-5679

fail-on-scopes: #(6)!
  - development
  - runtime
  - unknown
  1. Possible values: "critical", "high", "moderate", "low"
  2. Post summary as a comment to respective pull request
  3. Only allow the listed licenses (optional). Possible values: Any spdx_id value(s) from https://docs.github.com/en/rest/licenses
  4. Block the pull request on these licenses (optional). Possible values: Any spdx_id value(s) from https://docs.github.com/en/rest/licenses

    โš  You can only include one of either of these two options: allow-licenses and deny-licenses.

  5. Skip these GitHub Advisory Database IDs during detection (optional). Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories

  6. Block pull requests that introduce vulnerabilities in the scopes that match this list (optional). Possible values: "development", "runtime", "unknown"

Implement Dependency Review Check

Open the .github/workflows/continuous.integration.yml file in the editor and add the highlighted content as follows:

.github/workflows/continuous.integration.yml
name: Run Checks on PR

on:
  pull_request:
    branches:
      - main

permissions:
  actions: write
  checks: write
  contents: read
  security-events: write
  pull-requests: write

env:
  CI: true
  SITE_DIR: site
  TETRIS_APP_HOST: "127.0.0.1"
  TETRIS_APP_PORT: "8080"
  TETRIS_APP_PATH: "github-devsecops-fundamentals"

jobs:
  quality-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - uses: actions/setup-python@v4
        with:
          python-version: 3.12
      - uses: actions/setup-node@v3
        with:
          node-version: 20

      - name: Install Dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.ci.txt
          npm ci
          # Install browsers for running functional tests
          npx playwright install --with-deps chromium

      - name: Build
        run: |
          python -m mkdocs build --clean --strict --verbose --site-dir '${{ env.SITE_DIR }}'

      - name: Functional Test
        run: npx playwright test

      - name: Upload Functional Test Report
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: playwright-report
          path: playwright-report/
          retention-days: 30

  security-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Dependency Review
        uses: actions/dependency-review-action@v3
        with:
          config-file: >-
            ./.github/dependency-review-config.yml

Commit and publish your changes

Pushing your changes will apply the check on the existing pull request.

You can link your changes to an issue

Recall the issue you created earlier and its respective issue number, you will use it to link your current changes to the issue.

1
2
3
git add .
git commit -m "$(printf 'Create a tetris game to drive site engagement\n\n-Add dependency review as a security check\n\n- Resolves #<ISSUE-NUMBER>')"
git push origin feature/tetris-game

When you navigate to the repository on GitHub and open the existing pull request, you can confirm that the check was executed. As there are no compliance violations currently in the PR, the check is successful.

Show dependency review outcome

Homework

Can you attempt to make the dependency review check to fail?


๐Ÿ“š Resources