Stage 5 · Platform
Supply-Chain Security
Dependency Review
Gating pull requests with dependency-review-action, OSV data, license policies, and severity thresholds.
Dependency Review Concept
Dependency review checks new dependencies introduced in a pull request. It identifies vulnerabilities, license issues, and known risks before they merge into the main branch. This is more targeted than full dependency scanning — it focuses on what changed.
The key advantage is prevention. Instead of discovering a vulnerable dependency weeks after it was added, dependency review catches it at the PR stage. This is cheaper and safer than remediation after the fact.
GitHub Dependency Review
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
deny-licenses: GPL-3.0, AGPL-3.0, SSPL-1.0
comment-summary-in-pr: always
retry-comment-on-failure: true
fail-on-insights: true
# Custom severity thresholds
- name: Check for critical vulnerabilities
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: GPL-3.0
base-ref: main
head-ref: HEAD
comment-summary-in-pr: alwaysThe dependency-review-action compares the dependency tree between the base and head branches. It fails the check if new dependencies introduce vulnerabilities above the severity threshold or have prohibited licenses.
License Policies
# .github/dependency-review-config.yml
# Not yet supported natively, use deny-licenses in the action
# Custom license check in CI
jobs:
license-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check licenses
run: |
npm install -g license-checker
npm ci
license-checker --production --json --out licenses.json
# Check for prohibited licenses
PROHIBITED=$(jq -r '
to_entries[] |
select(.value.licenses | test("GPL-3.0|AGPL-3.0|SSPL"))
| .key
' licenses.json)
if [ -n "$PROHIBITED" ]; then
echo "::error::Prohibited licenses found:"
echo "$PROHIBITED"
exit 1
fi
echo "All licenses comply with policy"
- name: License report
run: |
license-checker --production --csv > licenses.csv
if: always()License checking ensures all dependencies comply with your organization's licensing policy. GPL-3.0, AGPL-3.0, and SSPL are commonly prohibited due to copyleft requirements. The CSV report provides an audit trail.
Severity Thresholds
| Severity | Action | Example |
|---|---|---|
| Critical | Block merge immediately | Remote code execution, SQL injection |
| High | Block merge, require fix | Cross-site scripting, authentication bypass |
| Medium | Warn, track for fix | Information disclosure, denial of service |
| Low | Informational only | Minor information leaks |
OSV Data Integration
jobs:
osv-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Generate dependency diff
run: |
npm ci
npm ls --json > current-deps.json
git checkout main
npm ci
npm ls --json > base-deps.json
- name: Check new dependencies against OSV
run: |
# Compare dependencies
NEW_DEPS=$(jq -r '.dependencies[].name' current-deps.json | sort)
BASE_DEPS=$(jq -r '.dependencies[].name' base-deps.json | sort)
ADDED=$(comm -13 <(echo "$BASE_DEPS") <(echo "$NEW_DEPS"))
for dep in $ADDED; do
VERSION=$(jq -r ".dependencies[] | select(.name=="$dep") | .version" current-deps.json)
echo "Checking $dep@$VERSION against OSV..."
curl -s "https://api.osv.dev/v1/query" \
-d "{"version": "$VERSION", "package": {"name": "$dep"}}" \
| jq -r '.vulns[]?.id // empty'
doneOSV (Open Source Vulnerabilities) provides a free vulnerability database. This script identifies new dependencies and checks them against OSV. This catches vulnerabilities in newly added packages.
Automated Remediation
# Dependabot for automated PRs
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 10
labels:
- dependencies
- security
groups:
security-updates:
patterns:
- "*"
update-types:
- patch
- minor
# Auto-merge minor and patch updates
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
labels:
- dependencies
- github-actions
---
# Auto-merge workflow
jobs:
auto-merge:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Auto-merge minor/patch
if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: gh pr merge --auto --squash "${{ github.event.pull_request.number }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Dependabot creates PRs for dependency updates automatically. The auto-merge workflow merges minor and patch updates without manual review. Major updates require manual review due to potential breaking changes.
Dependency review catches known vulnerabilities. SAST catches code-level vulnerabilities. Use both together for comprehensive security coverage. A vulnerable dependency used insecurely is worse than a vulnerable dependency used correctly.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.