PythonScripts/.github/workflows/dependency-review-action.yml at main · AOSSIE-Org/PythonScripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Automatically scans every PR for newly added dependencies
# Blocks merges if a dependency license is NOT in the allow-list
# Flags CVEs with moderate+ severity
# Docs: https://github.com/actions/dependency-review-action


name: Dependency Review

on:
  pull_request:
    branches:
      - main
      - master
      - develop
    # Only re-run when dependency manifests actually change
    paths:
      # JavaScript / TypeScript / Node
      - "**/package.json"
      - "**/package-lock.json"
      - "**/yarn.lock"
      - "**/pnpm-lock.yaml"
      # Python
      - "**/requirements*.txt"
      - "**/Pipfile.lock"
      - "**/pyproject.toml"
      - "**/poetry.lock"
      # Rust
      - "**/Cargo.toml"
      - "**/Cargo.lock"
      # Go
      - "**/go.mod"
      - "**/go.sum"
      # Java / Kotlin / Android
      - "**/pom.xml"
      - "**/build.gradle"
      - "**/build.gradle.kts"
      - "**/*.gradle"
      # Ruby
      - "**/Gemfile.lock"
      # Docker / Infrastructure
      - "**/Dockerfile"
      - "**/docker-compose*.yml"
      - "**/docker-compose*.yaml"
      # GitHub Actions themselves
      - ".github/workflows/*.yml"
      - ".github/workflows/*.yaml"

permissions:
  contents: read          # Required to read the repo content
# pull-requests: write    # Required to post review comments on the PR

jobs:
  dependency-review:
    name: Dependency & License Review
    runs-on: ubuntu-latest

    steps:
      - name: Run Dependency Review
        uses: actions/dependency-review-action@v5
        with:
          # ── VULNERABILITY SETTINGS ──────────────────────────
          # Fail if any newly added dependency has a CVE at this
          # severity level or above. Options: low | moderate | high | critical
          fail-on-severity: moderate

          # Which dependency scopes to check for vulnerabilities
          # Options: runtime | development | unknown (comma-separated)
          fail-on-scopes: runtime

          # ── LICENSE ENFORCEMENT ─────────────────────────────
          # ALLOW: Only these licenses are permitted in new dependencies.
          # PRs introducing any other license will fail automatically.
          # Full SPDX list: https://spdx.org/licenses/
          allow-licenses: >-
            MIT,
            Apache-2.0,
            BSD-2-Clause,
            BSD-3-Clause,
            ISC,
            CC0-1.0,
            Unlicense,
            GPL-2.0-only,
            GPL-2.0-or-later,
            GPL-3.0-only,
            GPL-3.0-or-later,
            LGPL-2.0-only,
            LGPL-2.0-or-later,
            LGPL-2.1-only,
            LGPL-2.1-or-later,
            LGPL-3.0-only,
            LGPL-3.0-or-later,
            AGPL-3.0-only,
            AGPL-3.0-or-later,
            MPL-2.0,
            EUPL-1.2,
            Python-2.0,
            PSF-2.0

          # PER-PACKAGE EXCEPTIONS: Packages excluded from license checks entirely.
          # Use for packages with unrecognized/non-standard license declarations.
          # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version"
          # ── Edit this list when adding approved exceptions ──
          # allow-dependencies-licenses: >-
          #   pkg:npm/example-package,
          #   pkg:pypi/example-package

          # ── SCOPE FILTERING ─────────────────────────────────
          # Skip dev-only dependencies (test frameworks, linters, etc.)
          # They are not shipped to production so risk is lower.
          # Set to "all" to also scan devDependencies.
          # Options: runtime | development | all
          # Using "runtime" keeps noise low in template repos
          # where dev deps vary wildly by project type.
          # Uncomment the line below to enforce on devDeps too:
          # fail-on-scopes: runtime, development
          allow-ghsas: ""   # Leave empty to block all known GHSAs

          # ── OUTPUT & COMMENTS ────────────────────────────────
          # Post a detailed summary comment directly on the PR
          # comment-summary-in-pr: always

          # Fail (don't just warn) on license violations.
          # Change to "true" to only warn without failing.
          warn-only: false

          # ── VULNERABILITY DATABASE ───────────────────────────
          # Use the GitHub Advisory Database (GHSA) as the source.
          # This is the default; listed explicitly for clarity.
          # vulnerability-check: true   # default
          # Add explicitly so teams know it's active
          show-openssf-scorecard: true
          warn-on-openssf-scorecard-level: 3

  #  Post a status summary badge to PR
  # summarize:
  #   name: Post Review Summary
  #   runs-on: ubuntu-latest
  #   needs: dependency-review
  #   if: always()

  #   steps:
  #     - name: 📋 Summarize Result
  #       run: |
  #         if [ "${{ needs.dependency-review.result }}" == "success" ]; then
  #           echo "✅ Dependency review passed — no license violations or CVEs found."
  #         else
  #           echo "❌ Dependency review failed — check the PR comment for details."
  #           echo ""
  #           echo "Common fixes:"
  #           echo "  • Replace dependencies using licenses not in allow-licenses"
  #           echo "  • Upgrade vulnerable packages to patched versions"
  #           echo "  • Add an explicit exception to allow-dependencies-licenses if intentional"
  #         fi