How to Block Risky Dependencies With dependency-review-action
dependency-review-action diffs the dependency changes in a PR and fails the check on vulnerable or disallowed packages.
Run actions/dependency-review-action on the pull_request event. It compares the base and head manifests, then blocks the PR if it introduces a dependency above your severity threshold or with a denied license.
Steps
- Add a workflow triggered on
pull_request. - Grant
contents: read(andpull-requests: writefor summary comments). - Set
fail-on-severityand optionaldeny-licenses.
Workflow
.github/workflows/pr.yml
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
deny-licenses: GPL-3.0, AGPL-3.0Gotchas
- The action needs the dependency graph enabled on the repository to diff manifests.
- It only reviews changes in the PR, so run scanning separately for the full existing tree.
Related guides
How to Run the OpenSSF Scorecard Action in CIScore your repository security posture in CI with the OpenSSF Scorecard action, which checks for pinned depen…
How to Protect Against Dependency Confusion in CIDefend CI builds against dependency confusion by scoping internal packages and pinning the registry, so a pub…