Skip to main content

此版本的 GitHub Enterprise Server 已于以下日期停止服务 2024-07-09. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

配置依赖项审查

可以使用依赖项评审来捕获漏洞,以避免将其添加到项目中。

About dependency review

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request. Dependency review informs you of:

  • Which dependencies were added, removed, or updated, along with the release dates.
  • How many projects use these components.
  • Vulnerability data for these dependencies.

For more information, see "About dependency review" and "Reviewing dependency changes in a pull request."

About configuring dependency review

Dependency review is available when dependency graph is enabled for your GitHub Enterprise Server instance and Advanced Security is enabled for the organization or repository. For more information, see "Enabling GitHub Advanced Security for your enterprise."

Checking if the dependency graph is enabled

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under "Configure security and analysis features", check if the dependency graph is enabled.

  5. If dependency graph is enabled, click Enable next to "GitHub Advanced Security" to enable Advanced Security, including dependency review. The enable button is disabled if your enterprise has no available licenses for Advanced Security.

    Screenshot of "Code security and analysis features".

About configuring the dependency review action

The dependency review action scans your pull requests for dependency changes and raises an error if any new dependencies have known vulnerabilities. The action is supported by an API endpoint that compares the dependencies between two revisions and reports any differences.

For more information about the action and the API endpoint, see the dependency-review-action documentation, and "REST API endpoints for dependency review."

Here is a list of common configuration options. For more information, and a full list of options, see Dependency Review on the GitHub Marketplace.

OptionRequiredUsage
fail-on-severityDefines the threshold for level of severity (low, moderate, high, critical).
The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
fail-on-scopesContains a list of strings representing the build environments you want to support (development, runtime, unknown).
The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list.
comment-summary-in-prEnable or disable the reporting of the review summary as a comment in the pull request. If enabled, you must give the workflow or job the pull-requests: write permission.
allow-ghsasContains a list of GitHub Advisory Database IDs that can be skipped during detection. You can find the possible values for this parameter in the GitHub Advisory Database.
config-fileSpecifies a path to a configuration file. The configuration file can be local to the repository or a file located in an external repository.
external-repo-tokenSpecifies a token for fetching the configuration file, if the file resides in a private external repository. The token must have read access to the repository.