MCPcopy Index your code
hub / github.com/actions/dependency-review-action

github.com/actions/dependency-review-action @v5.0.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v5.0.0 ↗ · + Follow
104 symbols 257 edges 33 files 2 documented · 2% updated 4d agov5.0.0 · 2026-05-08★ 87424 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

dependency-review-action

Overview

The dependency review action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an API endpoint that diffs the dependencies between any two revisions on your default branch.

The action is available for:

Viewing the results

When the action runs, you can see the results on:

  • The job logs page.
  • Go to the Actions tab for the repository and select the relevant workflow run.
  • Then under "Jobs", click dependency review.

GitHub workflow run log showing Dependency Review job output

  • The job summary page.
  • Go to the Actions tab for the repository and select the relevant workflow run.
  • Click Summary, then scroll to "dependency-review summary".

    GitHub job summary showing Dependency Review output

Installation

Installation (standard)

You can install the action on any public repository, or any organization-owned private repository, provided the organization has a GitHub Advanced Security license.

Note: Dependency Review Action v5.0.0 updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

  1. Add a new YAML workflow to your .github/workflows folder:

```yaml name: 'Dependency Review' on: [pull_request]

permissions: contents: read

jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: 'Dependency Review' uses: actions/dependency-review-action@v5 ```

Installation (GitHub Enterprise Server)

You can install the action on repositories on GitHub Enterprise Server.

  1. Ensure GitHub Advanced Security and GitHub Connect are enabled for the enterprise.
  2. Ensure you have installed the dependency-review-action on the server.
  3. Add a new YAML workflow to your .github/workflows folder:

```yaml name: 'Dependency Review' on: [pull_request]

permissions: contents: read

jobs: dependency-review: runs-on: self-hosted steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: 'Dependency Review' uses: actions/dependency-review-action@v5 ```

  1. In the workflow file, replace the runs-on value with the label of any of your runners. (The default value is self-hosted.)

Configuration

Configuration options

There are various configuration options you can use to specify settings for the dependency review action.

All configuration options are optional.

Option Usage Possible values Default value
fail-on-severity Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. low, moderate, high, critical low
allow-licenses* Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. Any SPDX-compliant identifier(s) none
deny-licenses* ⚠️ This option is deprecated for possible removal in the next major release. See Deprecate the deny-licenses option #938 for more information.

Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any SPDX-compliant identifier(s) | none | | fail-on-scopes | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | runtime, development, unknown | runtime | | allow-ghsas | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the GitHub Advisory Database | none | | license-check | Enable or disable the license check performed by the action. | true, false | true | | vulnerability-check | Enable or disable the vulnerability check performed by the action. | true, false | true | | allow-dependencies-licenses* | Contains a list of packages that will be excluded from license checks. | Any package(s) in purl format | none | | base-ref/head-ref | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than pull_request and pull_request_target. | Any valid git ref(s) in your project | none | | comment-summary-in-pr | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the pull-requests: write permission. With each execution, a new comment will overwrite the existing one. | always, on-failure, never | never | | deny-packages | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in purl format | empty | | deny-groups | Any number of groups (namespaces) to block in a PR. | Namespace(s) in purl format (no package name, no version number) | empty | | retry-on-snapshot-warnings* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | true, false | false | | retry-on-snapshot-warnings-timeout* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 | | warn-only+ | When set to true, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a success status. This overrides the fail-on-severity option. | true, false | false | | show-openssf-scorecard | When set

Extension points exported contracts — how you extend this code

RepoWithPrivate (Interface)
(no doc)
src/main.ts

Core symbols most depended-on inside this repo

readConfig
called by 51
src/config.ts
parsePURL
called by 31
src/purl.ts
getInvalidLicenseChanges
called by 19
src/licenses.ts
getOptionalInput
called by 12
src/config.ts
purlsMatch
called by 12
src/purl.ts
getDeniedChanges
called by 9
src/deny.ts
getRefs
called by 7
src/git-refs.ts
parseList
called by 7
src/config.ts

Shape

Function 85
Method 11
Class 7
Interface 1

Languages

TypeScript91%
Ruby9%

Modules by API surface

src/summary.ts18 symbols
src/main.ts17 symbols
src/config.ts10 symbols
scripts/scan_pr_lib.rb9 symbols
src/licenses.ts6 symbols
src/utils.ts5 symbols
src/spdx.ts5 symbols
scripts/create_summary.ts4 symbols
src/scorecard.ts3 symbols
src/purl.ts3 symbols
src/filter.ts3 symbols
__tests__/licenses.test.ts3 symbols

For agents

$ claude mcp add dependency-review-action \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact