Add dependency review workflow to scan for license violations and CVEs#105
Merged
Zahnentferner merged 10 commits intoAOSSIE-Org:mainfrom Mar 19, 2026
Merged
Add dependency review workflow to scan for license violations and CVEs#105Zahnentferner merged 10 commits intoAOSSIE-Org:mainfrom
Zahnentferner merged 10 commits intoAOSSIE-Org:mainfrom
Conversation
github-actions
bot
added
no-issue-linked
Contributor
WalkthroughAdds a new GitHub Actions workflow Changes
Sequence Diagram(s)sequenceDiagram
participant Contributor
participant GitHub as GitHub (PR)
participant Actions as GitHub Actions
participant DepReview as dependency-review-action@v4
participant GHSA as GHSA/API
Contributor->>GitHub: Open PR modifying dependency manifests
GitHub->>Actions: Trigger dependency-review workflow (path filters matched)
Actions->>DepReview: Execute configured dependency review
DepReview->>GHSA: Query vulnerability data (vulnerability-check)
GHSA-->>DepReview: Return GHSA findings
DepReview-->>Actions: Emit results (fail/warn per config)
Actions-->>GitHub: Update PR check status
GitHub-->>Contributor: Surface check results on PR
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependency-review-action.yml:
- Around line 116-118: The comment above the warn-only setting is incorrect:
when warn-only: false the action will fail on license issues rather than just
warn; update the comment that currently reads "Warn (don't fail) for packages
with no license info." to clearly state that setting warn-only: false will cause
the action to fail on packages with no license info (or flip the boolean to true
if you want warning-only behavior) so the comment and the YAML key warn-only:
false are consistent.
- Around line 67-69: Update the misleading comment above the fail-on-scopes
setting so it accurately describes that fail-on-scopes controls which dependency
scopes (runtime, development, unknown) will cause the workflow to fail when
vulnerabilities are detected, rather than controlling whether fixes are
available; specifically revise the comment near the fail-on-scopes: runtime
entry to remove the "no fix is yet available" wording and state that it selects
which scopes trigger failures on found CVEs.
- Around line 56-60: Replace the floating tags actions/checkout@v4 and
actions/dependency-review-action@v4 with their corresponding full commit SHAs to
prevent tag-hijacking; locate the two usages of "uses: actions/checkout@v4" and
"uses: actions/dependency-review-action@v4" in the workflow and update them to
the vetted commit SHAs (optionally add a trailing comment with the semver tag
for readability), and consider using Dependabot/Renovate to keep those SHAs up
to date.
- Around line 97-99: The allow-dependencies-licenses list contains placeholder
package entries pkg:npm/@aossie/core and pkg:npm/@myorg/mypackage; remove these
placeholder strings from the allow-dependencies-licenses value or replace them
with your actual allowed package coordinates, or explicitly mark them as
examples via comments and include a brief instruction on replacing them. Update
the allow-dependencies-licenses block so it only contains real allowed packages
(or documented example entries) and ensure any comment clearly references the
two placeholder tokens so future editors know to replace or remove them.
- Around line 75-91: The deny-licenses list uses deprecated SPDX IDs; update the
values under the deny-licenses key so each deprecated identifier (GPL-2.0,
GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0, AGPL-1.0, AGPL-3.0) is replaced with the
modern SPDX forms (e.g., GPL-2.0-only, GPL-3.0-only, LGPL-2.0-only,
LGPL-2.1-only, LGPL-3.0-only, AGPL-1.0-only, AGPL-3.0-only); if you need to deny
both fixed and later-published variants, include the corresponding -or-later
entries as well (e.g., GPL-2.0-or-later) alongside or instead of the -only form.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: aaae28f2-7468-4e00-835c-c76ce33a7612
📒 Files selected for processing (1)
.github/workflows/dependency-review-action.yml
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Zahnentferner
requested changes
Mar 18, 2026
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependency-review-action.yml:
- Around line 2-3: The workflow comments contradict the actual license rules:
update the header/comment "Blocks merges on license violations
(GPL/LGPL/restrictive)" and any inline comments near the license list so they
reflect the configured policy (either block copyleft licenses or allow them) —
specifically reconcile the top comment and the comment around the
allowed-licenses list that currently permits "GPL/LGPL/AGPL" so the text and the
configured allow/deny entries match; ensure comments mention the authoritative
behavior (deny or allow) and that the license names in comments match the
entries in the allowed/denied lists.
- Around line 100-107: Remove the duplicated comment block that starts with
"ALLOW EXCEPTIONS: Packages that are explicitly approved" (the repeated guidance
and format lines) so only a single guidance block remains; edit the section in
the github workflow by deleting the second occurrence of the identical ALLOW
EXCEPTIONS comment lines and keep one correctly formatted block with the same
explanatory text and example format.
- Around line 56-60: The workflow includes an unnecessary "Checkout Repository"
step using actions/checkout@v4 before the Run Dependency Review step; remove the
step named "Checkout Repository" (the actions/checkout@v4 invocation) so the job
runs only the actions/dependency-review-action@v4 step, ensuring the
dependency-review action can operate without checking out the repo and reducing
runtime and surface area.
- Around line 18-44: The workflow's path filters miss .yaml variants; update the
paths list in the dependency-review-action workflow to add the alternate
extensions by including "docker-compose*.yaml" alongside "docker-compose*.yml"
and ".github/workflows/*.yaml" alongside ".github/workflows/*.yml" so YAML files
with the .yaml extension are caught; leave existing root-level entries like
"package.json" and "Dockerfile" unchanged since they already match nested files.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 268c1522-8513-4d51-884c-f747f9e214c2
📒 Files selected for processing (1)
.github/workflows/dependency-review-action.yml
Zahnentferner
requested changes
Mar 18, 2026
| # ── Edit this list when adding approved exceptions ── | ||
| # ALLOW EXCEPTIONS: Packages that are explicitly approved | ||
| # even if they match a denied license pattern. | ||
| # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version" |
Contributor
There was a problem hiding this comment.
This seems wrong.
See this:
…e exception handling instructions
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependency-review-action.yml:
- Around line 131-149: The commented "Post Review Summary" step's remediation
guidance incorrectly tells readers to "Replace GPL-licensed packages" which
conflicts with the workflow's allowed-licenses policy (GPL/LGPL/AGPL allowed in
the earlier policy block). Update the summary text in the "Summarize Result"
step (name: "📋 Summarize Result") to remove the suggestion to replace GPL
packages and instead advise actions consistent with the license policy—e.g.,
verify the package is on the allowed-licenses list or add an explicit
exception—so the guidance no longer conflicts with the allowed GPL/LGPL/AGPL
entries.
- Around line 16-43: The path filters in the workflow use root-only patterns
(e.g., "package.json", "requirements*.txt", "go.mod", "pom.xml", "Dockerfile")
which miss nested manifests in monorepos; update the list in
.github/workflows/dependency-review-action.yml to use recursive globs by
prefixing each entry with "**/" (for example "**/package.json",
"**/requirements*.txt", "**/go.mod", "**/pom.xml", "**/Dockerfile", etc.) so
files at any depth are matched by the workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 6c840a52-a793-49e4-8059-027afc59edb5
📒 Files selected for processing (1)
.github/workflows/dependency-review-action.yml
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependency-review-action.yml:
- Around line 9-16: The workflow currently only triggers on pull_request changes
(the on: pull_request block with branches and paths), so newly disclosed CVEs
for unchanged manifests are missed; add a periodic trigger (schedule with cron)
and/or a manual trigger (workflow_dispatch) to the on: section so the job runs
regularly and can be manually invoked to rescan dependencies and surface new
advisories.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: fa8995da-8a39-47cd-84de-eadf009e94cb
📒 Files selected for processing (1)
.github/workflows/dependency-review-action.yml
Comment on lines
+9
to
+16
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| - master | ||
| - develop | ||
| # Only re-run when dependency manifests actually change | ||
| paths: |
Contributor
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider a scheduled/manual run to catch newly disclosed CVEs.
This workflow triggers on PR manifest changes, so advisories published later for unchanged dependencies won’t be surfaced here. A periodic run (or workflow_dispatch) can close that gap.
📌 Optional workflow trigger extension
on:
+ workflow_dispatch:
+ schedule:
+ - cron: "0 3 * * 1" # weekly, Monday 03:00 UTC
pull_request:
branches:
- main
- master
- develop🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/dependency-review-action.yml around lines 9 - 16, The
workflow currently only triggers on pull_request changes (the on: pull_request
block with branches and paths), so newly disclosed CVEs for unchanged manifests
are missed; add a periodic trigger (schedule with cron) and/or a manual trigger
(workflow_dispatch) to the on: section so the job runs regularly and can be
manually invoked to rescan dependencies and surface new advisories.
Zahnentferner
approved these changes
Mar 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addressed Issues:
Fixes #(issue number)
Screenshots/Recordings:
Additional Notes:
Checklist
We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.
Summary by CodeRabbit