Created and maintained by https://safedep.io with contributions from the community 🚀
GitHub Action for integrating vet in your workflow. Provides active protection against vulnerable, outdated, unpopular and malicious OSS dependencies using policy as code based guardrails.
Follow setup instructions for step by step guide on how to integrate
vetin your GitHub repository with customizable policies
Follow quickstart if you want to integrate
vetas a step in your existing GitHub actions workflow. Look at Setup Instructions for step by step guide on how to integratevetin your GitHub repository
TLDR; add this GitHub Action to vet your changed dependencies during pull request.
- name: Run vet
id: vet
uses: safedep/vet-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Enable comments proxy server for public repositories
# where GitHub Action jobs are run from forked repositories
#enable-comments-proxy: trueNote: vet-action requires the following job or workflow permissions to be
able to add comments on the pull request:
permissions:
contents: read
pull-requests: write
issues: writeThe output of vet-action is a
SARIF report
that can be uploaded to GitHub Code Scanning
Note:
upload-sarifaction requires GitHub Code Scanning to be enabled. This is available for public repositories and for private repositories with GitHub Advanced Security enabled.
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.vet.outputs.report }}
category: vetNote: Uploading SARIF report to GitHub Code Scanning requires the following job or workflow permissions to upload the SARIF report:
permissions:
security-events: writeFollow this instruction to integrate
vetas a GitHub action in your GitHub repository
- Go to the root directory of your GitHub repository
- Create the workflow and policy directory
mkdir -p .github/workflows .github/vet- Download the policy file into the policy directory
curl -o .github/vet/policy.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/policy.yml- Download
vetGitHub Action workflow
curl -o .github/workflows/vet-ci.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/vet-ci.yml- Review the policy file in
.github/vet/policy.ymland edit as required - Push / PR your changes into the repository
vet-action provides integration with
SafeDep Cloud. By leveraging SafeDep Cloud,
vet and vet-action provides additional services such as
Malicious Package Analysis.
Note: SafeDep Cloud integration is disabled by default.
To use SafeDep Cloud integration, you need
- SafeDep Cloud Tenant Domain (e.g.
default-team.example-org.safedep.io) - SafeDep Cloud API Key (e.g.
sfd_01234567890abcdefghijk)
Refer to SafeDep Cloud Quickstart guide on getting the required information for activating cloud integration.
vet-action accepts following additional configuration for customizing how
vet is invoked during scan
| GitHub Action Input | Example Value | Notes |
|---|---|---|
policy |
policies/sample.yml |
Path to vet YAML policy file (filter suite) |
exception-file |
config/exceptions.yml |
Path to vet exception YAML file |
trusted-registries |
https://r1.org, https://r2.org |
, separated string of registry base URLs |
timeout |
300 |
Max time in seconds to wait for external services |
cloud |
true |
Enable integration with SafeDep Cloud |
cloud-tenant |
default-team.example-org.safedep.io |
SafeDep Cloud Tenant Domain |
cloud-key |
sfd_xxxx |
SafeDep Cloud API Key |
upload-sarif |
true |
Upload SARIF report as artifact on push |
add-step-summary |
true |
Add job step summary report on push |
enable-comments-proxy |
false |
Enable Comments Proxy Server to create comments on GitHub PRs |
paranoid |
false |
Enable paranoid mode to fail PR workflow on any risk |
exclude |
test/go.mod, test/package.json |
Comma separated list of "repository relative path patterns" to exclude from the scan |
- Refer to vet policy as code
for details on
policyformat - Refer to vet exceptions for
details on
exception-fileformat
The enable-comments-proxy configuration can be used to enable Comments Proxy
Server to create comments on GitHub PRs. This is required when the action is
invoked in a PR from a forked repository due to limitation on $GITHUB_TOKEN.
See ghcp for more details.
SECURITY NOTE: Comments proxy uses $GITHUB_TOKEN for authentication to
verify the request is from a GitHub Actions workflow associated with the
repository. When enable, vet-action will call Comments Proxy Server with
$GITHUB_TOKEN available in the workflow. This will be used ONLY when
vet-action fails to call GitHub API due to the limitation on $GITHUB_TOKEN.
The trusted-registries configuration can be used to add specific registry URLs
into allow list while checking for lockfile inconsistencies. Example:
trusted-registries: |
https://registry.npmjs.org/strip-ansi
https://registry.npmjs.org/string-width
https://private.self-hosted.local- Raise issues related to GitHub Action at https://github.com/safedep/vet-action/issues
- Raise issues related to
vettool at https://github.com/safedep/vet/issues
Refer to development documentation