search

gradle / build-tool-roadmap

Gradle Build Tool roadmap
https://roadmap.gradle.org/
41 stars 6 forks source link

GitHub Dependabot alerts and dependency graph support #42

Closed bigdaz closed 6 months ago

bigdaz commented 1 year ago

The GitHub Dependency Graph is central to all aspects of GitHub supply chain security, including Dependency Review on PRs and Dependabot Security Alerts. The goal is to make it easy to enable the GitHub Dependency Graph for any project built with Gradle.

The Gradle dependency-graph support will consist of 2 parts:

  1. The gradle/actions/dependency-submission action:

    • Provides a convenient mechanism to generate and submit a dependency gradle from a GitHub Actions workflow
    • Provides options to include/exclude particular projects and configurations from the dependency graph
    • Leverages the GitHub Dependency Graph Gradle Plugin

  2. The GitHub Dependency Graph Gradle Plugin:

    • Collects all resolved dependencies for a Gradle execution, and export these in GitHub Dependency Graph format
    • Provides a custom task designed to resolve all possible dependencies for a build.
    • Could be used in other CI environments to generate a dependency-graph for submission to GitHub
bigdaz commented 6 months ago

The dependency-submission action has been delivered and is being now used in over 2000 public repositories.

Further improvements to documentation are planned, but this feature is functionally complete.