The Dependency Review GitHub Action, which checks if pull requests introduce a dependency with a known vulnerability, now supports configuration based on vulnerability severity and license type.
The following configuration options are available:
fail-on-severity
: the action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higherallow-licenses
: the action will fail on pull requests that introduce dependencies with licenses that do not match the listdeny-licenses
: the action will fail on pull requests that introduce dependencies with licenses that match the list
The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.
Learn more about dependency review enforcement.
Learn more about configuring the Dependency Review GitHub Action.