build-tool-roadmap icon indicating copy to clipboard operation
build-tool-roadmap copied to clipboard

Published 20 hours ago verified publisher icon gradle

GitHub Dependabot alerts and dependency graph support

Open bigdaz opened this issue 2 years ago • 0 comments

The GitHub Dependency Graph is central to all aspects of GitHub supply chain security, including Dependency Review on PRs and Dependabot Security Alerts. The goal is to make it easy to enable the GitHub Dependency Graph for any project built with Gradle.

The Gradle dependency-graph support will consist of 2 parts:

  1. The gradle/actions/dependency-submission action:

    • Provides a convenient mechanism to generate and submit a dependency gradle from a GitHub Actions workflow
    • Provides options to include/exclude particular projects and configurations from the dependency graph
    • Leverages the GitHub Dependency Graph Gradle Plugin

  2. The GitHub Dependency Graph Gradle Plugin:

    • Collects all resolved dependencies for a Gradle execution, and export these in GitHub Dependency Graph format
    • Provides a custom task designed to resolve all possible dependencies for a build.
    • Could be used in other CI environments to generate a dependency-graph for submission to GitHub

bigdaz avatar Feb 22 '23 01:02 bigdaz