GitHub announced Dependency Review GitHub Action which scans users’ pull requests for dependency changes and will raise an error if any new dependencies have existing flaws that can be exploited in supply chain attacks. Currently, Dependabot already alerts developers when vulnerabilities are found in their existing dependencies, but the new action aims at ensuring security when they add a new dependency.
The action is available for private repositories that have Github Advanced Security licensed and for all public repositories. The action is available on GitHub Marketplace and in the user repository’s Actions tab under the Security heading.
Github states that the action is supported by an API endpoint that diffs the dependencies between any two revisions to determine any new dependencies and their security impact.
This is achieved by adding the new Dependency Review GitHub Action to an existing workflow in one of your projects. You can do it through your repository’s Actions tab under Security or straight from the GitHub Marketplace.
“When you add the dependency review action to your repository, it will scan your pull requests for dependency changes. Then, it will check the GitHub Advisory Database to see if any of the new dependencies have existing vulnerabilities.” wrote Courtney Claessens, a Senior Product Manager at GitHub. “If they do, the action will raise an error so that you can see which dependency has a vulnerability and implement the fix with the contextual intelligence provided.”
More info on reviewing dependency changes in a pull request are available in a post published by GitHub.
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform