search

actions / dependency-review-action

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
MIT License
558 stars 94 forks source link

Allow this action to run on branch #754

Open writemevm opened 2 months ago

writemevm commented 2 months ago

Currently, this action only allows running on PRs. Is it possible to allow this action to run on a specified branch? How will it detect when there is no change in dependencies, yet the issue is introduced by the old version being used?

felickz commented 2 months ago

You can specify the base/head where the diff of those two will be used to create the list of dependencies to review.

https://github.com/actions/dependency-review-action/blob/0659a74c94536054bfa5aeb92241f70d680cc78e/action.yml#L25-L30

The base/head git ref to be used for this check. Has a default value when the workflow event is pull_request or pull_request_target. Must be provided otherwise.

Ex: https://github.com/ctcampbellcom/WebGoat/actions/runs/8667866545

      head-ref: ${{ github.ref }}
      base-ref: ${{ github.event.repository.default_branch }}

dependency-review Not in the context of a pull request. Skipping comment creation.

Image

juxtin commented 2 months ago

Thank you to @felickz for the very thorough answer on the topic of running on branches!

I'll take the other part of this issue:

How will it detect when there is no change in dependencies, yet the issue is introduced by the old version being used?

That's not really the use case that Dependency Review is intended to solve. It sounds like what you want is something like Dependabot alerts, but with support for multiple branches. Is that right?

writemevm commented 2 months ago

You can specify the base/head where the diff of those two will be used to create the list of dependencies to review.

https://github.com/actions/dependency-review-action/blob/0659a74c94536054bfa5aeb92241f70d680cc78e/action.yml#L25-L30

The base/head git ref to be used for this check. Has a default value when the workflow event is pull_request or pull_request_target. Must be provided otherwise.

Ex: https://github.com/ctcampbellcom/WebGoat/actions/runs/8667866545

      head-ref: ${{ github.ref }}
      base-ref: ${{ github.event.repository.default_branch }}

dependency-review Not in the context of a pull request. Skipping comment creation.

Image

Thank you @felickz. I will give it a try based on your recommendation and let you know.

writemevm commented 2 months ago

@juxtin - I was looking for something similar to Veracode SCA (https://github.com/marketplace/actions/veracode-dependency-scanning) where I can run the dependency review on a branch or any commit.

This would be a great improvement if it can be supported. Let me know.