devicons/devicon

[FEATURE REQUEST] Add dependency review (automatically check PR's for security

Open

#1.483 geöffnet am 29. Okt. 2022

Auf GitHub ansehen
 (0 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)CSS (2.448 Forks)batch import
devopsenhancementgood first issue

Repository-Metriken

Stars
 (11.625 Stars)
PR-Merge-Metriken
 (Keine gemergten PRs in 30 T)

Beschreibung

I have searched through the issues and didn't find my problem.

  • Confirm

Problem

Dependency review adds the ability to block pull requests that introduce vulnerable dependencies. We can select what order of severity we want to accept too, so that for example minor security vulnerabilities are ignored, while critical ones are handled.

There's not much need for running this for each icon request though, since they never introduce new dependencies. So we can just run it every time the PR is not an icon request.

Possible Solution

This is the documentation that shows how you can configure dependency review.

The documentation provides a little snippet which I've modified it to fit what I think we want. More precisely I've changed the following:

  • Added an if statement so it only runs on PR's that aren't icon requests:
  • Changed fail-on-severity from critical to high
name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    if: ${{!startsWith(github.event.pull_request.title, 'new icon') || startsWith(github.event.pull_request.title, 'update icon')}}  # only run if not an icon PR
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: Dependency Review
        uses: actions/dependency-review-action@v2
        with:
          # Possible values: "critical", "high", "moderate", "low" 
          fail-on-severity: high

          # You can only can only include one of these two options: `allow-licenses` and `deny-licences`
          # ([String]). Only allow these licenses (optional)
          # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses 
          # allow-licenses: GPL-3.0, BSD-3-Clause, MIT

          # ([String]). Block the pull request on these licenses (optional)
          # Possible values: Any  `spdx_id` value(s) from https://docs.github.com/en/rest/licenses 
          # deny-licenses: LGPL-2.0, BSD-2-Clause

Additional information

We might also want to deny (or only accept) certain licenses. I'm no licensing expert however, so I'll leave that up to the community to decide what makes the most sense.

Please discuss in the comments below what you think about the request, and the licenses in particular.

Contributor Guide

Research-Richtung
Überprüfen Sie das bereitgestellte YAML Snippet, erstellen Sie eine neue Workflow Datei mit dem Namen 'dependency review.yml' im Verzeichnis .github/workflows und stellen Sie sicher, dass die Bedingungen Icon Request PRs korrekt ausschließen.
Tech Stack
github actions
Domain
devops
Issue Type
Funktion
SchwierigkeitGeschätzte Implementierungsschwierigkeit für neue Contributors, von 1 für sehr kleine Änderungen bis 5 für Expertenarbeit.
1
Geschätzte ZeitEin grober Zeitrahmen, um zu recherchieren, zu implementieren, zu testen und einen Pull Request vorzubereiten.
Unter 1 Stunde
AktivitätsstatusWie verfügbar das Issue gerade wirkt: frisch, aktiv, stale, blockiert oder wartet auf Maintainer-Input.
Aktiv
KlarheitWie klar das Issue die erwartete Änderung, Akzeptanzkriterien und den nächsten Schritt erklärt.
Klar
Voraussetzungen
GitGitHub Actions
EinsteigerfreundlichkeitEin Score von 1 bis 100, der schätzt, wie zugänglich dieses Issue für First-Time Contributors ist.
85