search

byu-oit / hw-fargate-api

Template for creating a product specific repo with terraform files for deployment
Apache License 2.0
5 stars 0 forks source link

Introduce `actions/dependency-review-action` #845

Open GaryGSC opened 1 year ago

GaryGSC commented 1 year ago

Dependency Review is recommended by the GitHub Advanced Security folks.

To use it, we would add actions/dependency-review-action to one of our CI workflows.

But... I'm not seeing a great way to introduce it to this repo without breaking things for users without GHAS licenses.

In order to use features that require a GHAS license, I see there's now a way to see if GHAS is enabled on a repo, where part of the response looks like:

"security_and_analysis": {
  "advanced_security": {
    "status": "enabled"
  }
}

However, it might be tricky to call that API as part of a workflow because

In order to see the security_and_analysis block for a repository you must have admin permissions for the repository or be an owner or security manager for the organization that owns the repository.

GaryGSC commented 1 year ago

This might be sufficient:

if: github.repository_owner == 'byu-oit' # Intent is to check if GHAS is enabled