Skip to content

[Code Quality] Add dependency-review-action to pull request workflowΒ #10992

New issue
New issue
Closed as not planned
Closed as not planned
[Code Quality] Add dependency-review-action to pull request workflow#10992
Assignees
mnkiefercopilot-swe-agent
Labels
automationcode-qualitydependenciesPull requests that update a dependency filesecuritytask-mining
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 21, 2026

Description

Add GitHub's dependency-review-action to automatically review dependency changes in PRs, blocking PRs that introduce known vulnerabilities or license compliance issues. This provides supply chain security at the PR review stage before vulnerable dependencies reach the main branch.

Problem

Current State:

  • No dependency review on pull requests
  • Vulnerable dependencies can be introduced without detection
  • No license compliance checking for new dependencies
  • Supply chain security relies entirely on post-merge detection

Impact: PRs can introduce vulnerable or non-compliant dependencies that bypass review.

Suggested Changes

Add dependency-review-action to PR checks:

  1. Create or update a PR-specific workflow (e.g., .github/workflows/dependency-review.yml)
  2. Add a job that:
    • Runs only on pull_request events
    • Uses actions/dependency-review-action@v4
    • Configures fail-on-severity: high (block HIGH and CRITICAL)
    • Enables license checking with allowed licenses list
    • Uses comment-summary-in-pr: true for visibility
  3. Add documentation explaining what dependency changes are blocked
  4. Ensure the action has appropriate permissions (contents: read, pull-requests: write)
  5. Test with a sample PR that updates a dependency

Files Affected

  • .github/workflows/dependency-review.yml (new) or .github/workflows/pr-checks.yml (updated)

Success Criteria

  • Dependency Review action added to PR workflow
  • Blocks PRs with HIGH/CRITICAL vulnerability dependencies
  • Reviews license changes for compliance issues
  • Provides inline PR comments with vulnerability details
  • Runs only on pull_request events (not push to main)
  • Documentation added explaining blocking criteria

Implementation Example

name: Dependency Review

on:
  pull_request:
    branches: [main]

permissions:
  contents: read
  pull-requests: write

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: high
          comment-summary-in-pr: true
          deny-licenses: GPL-3.0, AGPL-3.0

Source

Extracted from Repository Quality Improvement Report - Dependencies discussion #10987

Priority

High - Prevents vulnerable dependencies before they reach main branch

Estimated Effort

Small - 1-2 hours to implement and test

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 4, 2026, 2:09 PM UTC

Metadata

Metadata

Assignees

Labels

automationcode-qualitydependenciesPull requests that update a dependency filesecuritytask-mining

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions