Federico Builes
Federico Builes
Thanks for bringing up a good point! I will remove the example with an allow list since the action doesn't support both allow/deny: https://github.com/actions/dependency-review-action/#licenses. Using an example from an actual...
@ericcornelissen thanks for the callout, I'll update the README to include these details. In the meantime: The action uses the same set of files that Dependabot and Dependency Graph uses...
@ericcornelissen thanks for the link, it definitely isn't super clear that `.github/workflows/deps-analysis.yml` was scanned in the message from that run (it's worse in this case due to the licensing issue...
@ericcornelissen There should be a new release of the action by next week containing a couple of new features, one of them being a summary of everything that was scanned....
@AtzeDeVries this sounds like something we could do in a future. What format do you envision to specify the dependencies?
We'll likely move our config options (licenses and allow/denylist) to an external config file in the upcoming months to make this Action easier to install in big organizations. Will take...
@LiuVII what do you think about adding a new config option (a list called `ignore`?) that is checked against the `advisory_ghsa_id` field of the [API response](https://github.com/actions/dependency-review-action/blob/main/src/schemas.ts#L18)? We don't receive CVEs...
@tspascoal ~Thanks! Do you mind adding a screenshot of how this would look like, or linking to an Action run we can use to see the behavior before merging?~ Please...
@Yash-Singh1 thanks for your suggestion (and apologies for the delay replying). At the moment our API does not support differentiation between the dependency types, but I'll keep this issue open...
Hi @joshjohanning -- Thanks for the heads up! I don't think the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) supports this yet, once it does I'll provide a new update!