Skip to content
Latchkey

Dependency Review and Vulnerability Scan workflow (Nya-Foundation/NyaProxy)

The Dependency Review and Vulnerability Scan workflow from Nya-Foundation/NyaProxy, explained and optimized by Latchkey.

A

CI health: A - excellent

Point runs-on at Latchkey and get job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: Nya-Foundation/NyaProxy.github/workflows/scan.ymlLicense MITView source

What it does

This is the Dependency Review and Vulnerability Scan workflow from the Nya-Foundation/NyaProxy repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
# .github/workflows/dependency-review.yml
name: Dependency Review and Vulnerability Scan

on:
  push:
    branches-ignore:
      - 'main'
      - 'staging'
      - 'dev'
    paths:
      - 'pyproject.toml'
      - 'setup.py'
      - 'setup.cfg'
      - '**/*requirements*.txt'
      - 'Pipfile'
      - 'Pipfile.lock'
  pull_request:
    branches: ['staging', 'dev']
    paths:
      - 'pyproject.toml'
      - 'setup.py'
      - 'setup.cfg'
      - '**/*requirements*.txt'
      - 'Pipfile'
      - 'Pipfile.lock'
  workflow_dispatch:

# Updated permissions to allow for code scanning alerts
permissions:
  contents: read
  security-events: write

# Cancel outdated workflow runs on the same branch/PR
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  dependency-review:
    name: Scan Dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Dependency Review
        # This action scans dependency manifest files for known vulnerabilities
        # using the GitHub Advisory Database and can check for license compliance.
        # See: https://github.com/actions/dependency-review-action
        uses: actions/dependency-review-action@v4
        with:
          # The base branch for the pull request or the main branch for pushes
          base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
          head-ref: ${{ github.sha }}

          # Scan for vulnerabilities reported in the GitHub Advisory Database
          vulnerability-check: true
          # Fail the workflow if any vulnerabilities with 'high' or 'critical' severity are found.
          # Allowed values: low, moderate, high, critical
          fail-on-severity: high

          # Uncomment based on your license policy
          allow-licenses: MIT, Apache-2.0, BSD-3-Clause, ISC, 0BSD, Python-2.0
          
  codeql-analysis:
    name: CodeQL SAST Analysis
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: python
          # Optional: specify queries for additional security checks
          # queries: security-extended,security-and-quality
          
      - name: Autobuild
        uses: github/codeql-action/autobuild@v3
        
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:python"
          upload: true

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

# .github/workflows/dependency-review.yml
name: Dependency Review and Vulnerability Scan
 
on:
  push:
    branches-ignore:
      - 'main'
      - 'staging'
      - 'dev'
    paths:
      - 'pyproject.toml'
      - 'setup.py'
      - 'setup.cfg'
      - '**/*requirements*.txt'
      - 'Pipfile'
      - 'Pipfile.lock'
  pull_request:
    branches: ['staging', 'dev']
    paths:
      - 'pyproject.toml'
      - 'setup.py'
      - 'setup.cfg'
      - '**/*requirements*.txt'
      - 'Pipfile'
      - 'Pipfile.lock'
  workflow_dispatch:
 
# Updated permissions to allow for code scanning alerts
permissions:
  contents: read
  security-events: write
 
# Cancel outdated workflow runs on the same branch/PR
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 
jobs:
  dependency-review:
    timeout-minutes: 30
    name: Scan Dependencies
    runs-on: latchkey-small
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
 
      - name: Dependency Review
        # This action scans dependency manifest files for known vulnerabilities
        # using the GitHub Advisory Database and can check for license compliance.
        # See: https://github.com/actions/dependency-review-action
        uses: actions/dependency-review-action@v4
        with:
          # The base branch for the pull request or the main branch for pushes
          base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
          head-ref: ${{ github.sha }}
 
          # Scan for vulnerabilities reported in the GitHub Advisory Database
          vulnerability-check: true
          # Fail the workflow if any vulnerabilities with 'high' or 'critical' severity are found.
          # Allowed values: low, moderate, high, critical
          fail-on-severity: high
 
          # Uncomment based on your license policy
          allow-licenses: MIT, Apache-2.0, BSD-3-Clause, ISC, 0BSD, Python-2.0
          
  codeql-analysis:
    timeout-minutes: 30
    name: CodeQL SAST Analysis
    runs-on: latchkey-small
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: python
          # Optional: specify queries for additional security checks
          # queries: security-extended,security-and-quality
          
      - name: Autobuild
        uses: github/codeql-action/autobuild@v3
        
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:python"
          upload: true

What changed

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow