"依存関係レビュー アクション" とは、GitHub Actions コンテキスト内の pull request の差異を報告できる特定のアクションです。 また、GitHub Actions ワークフローに強制メカニズムを追加することもできます。 詳しくは、「依存関係の確認について」をご覧ください。
一般的な構成オプションの一覧については、GitHub Marketplace に関する 依存関係の確認 を参照してください。
依存関係レビュー アクション の構成について
依存関係レビュー アクション を構成する方法は 2 つあります。
- ワークフロー ファイル内に構成オプションをインライン化する。
- ワークフロー ファイル内で構成オプションを参照する。
すべての例で、アクションに対して、semver リリース番号 (v3 など) ではなく、短いバージョン番号 (v3.0.8) が使われています。 これにより、アクションの最新のマイナー バージョンを使うことができます。
インライン構成を使って 依存関係レビュー アクション を設定する
-
`.github/workflows` フォルダーに新しい YAML ワークフローを追加します。YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v5 - name: Dependency Review uses: actions/dependency-review-action@v4name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v5 - name: Dependency Review uses: actions/dependency-review-action@v4 -
必要に応じて設定を変更します。
この 依存関係レビュー アクション サンプル ファイルは、利用可能な構成オプションの使用方法を示しています。
YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v5 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: GPL-3.0, BSD-3-Clause, MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: LGPL-2.0, BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: development, runtimename: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v5 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: GPL-3.0, BSD-3-Clause, MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: LGPL-2.0, BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: development, runtime
構成ファイルを使って 依存関係レビュー アクション を設定する
-
`.github/workflows` フォルダーに新しい YAML ワークフローを追加し、`config-file` を使って構成ファイルを使用していることを指定します。YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v5 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # ([String]). Representing a path to a configuration file local to the repository or in an external repository. # Possible values: An absolute path to a local file or an external file. config-file: './.github/dependency-review-config.yml' # Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred) # config-file: 'github/octorepo/dependency-review-config.yml@main' # ([Token]) Use if your configuration file resides in a private external repository. # Possible values: Any GitHub token with read access to the private external repository. external-repo-token: 'ghp_123456789abcde'name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v5 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # ([String]). Representing a path to a configuration file local to the repository or in an external repository. # Possible values: An absolute path to a local file or an external file. config-file: './.github/dependency-review-config.yml' # Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred) # config-file: 'github/octorepo/dependency-review-config.yml@main' # ([Token]) Use if your configuration file resides in a private external repository. # Possible values: Any GitHub token with read access to the private external repository. external-repo-token: 'ghp_123456789abcde' -
指定したパスに構成ファイルを作成します。
この YAML ファイルの例は、利用可能な構成オプションの使用方法を示しています。
YAML # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: - GPL-3.0 - BSD-3-Clause - MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: - LGPL-2.0 - BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: - GHSA-abcd-1234-5679 - GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: - development - runtime# Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: - GPL-3.0 - BSD-3-Clause - MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: - LGPL-2.0 - BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: - GHSA-abcd-1234-5679 - GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: - development - runtime
構成オプションの詳細については、「dependency-review-action」を参照してください。
詳細については、次を参照してください。
-
[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/customizing-your-dependency-review-action-configuration)