Skip to content
/ vet-action Public
generated from actions/typescript-action

GitHub Action for policy driven vetting of open source dependencies

safedep.io

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

safedep/vet-action

BranchesTags

Repository files navigation

vet GitHub Action

vet is a tool for finding security risks in OSS components. For more details, refer to vet GitHub repository https://github.com/safedep/vet

Usage

Follow setup instructions for step by step guide on how to integrate vet in your GitHub repository with customizable policies

Quick Start

Follow quickstart if you want to integrate vet as a step in your existing GitHub actions workflow

TLDR; add this GitHub action to vet your changed dependencies during pull request

- name: Run vet
  id: vet
  permissions:
    contents: read
    issues: write
    pull-requests: write
  uses: safedep/vet-action@v1
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The output of vet-action is a SARIF report that can be uploaded to GitHub Code Scanning

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: ${{ steps.vet.outputs.report }}
    category: vet

Setup Instructions

Follow this instruction to integrate vet as a GitHub action in your GitHub repository

  • Go to the root directory of your GitHub repository
  • Create the workflow and policy directory
mkdir -p .github/workflows .github/vet
  • Download the policy file into the policy directory
curl -o .github/vet/policy.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/policy.yml
  • Download vet GitHub Action workflow
curl -o .github/workflows/vet-ci.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/vet-ci.yml
  • Review the policy file in .github/vet/policy.yml and edit as required
  • Push / PR your changes into the repository

Configuration

vet-action accepts following additional configuration for customizing how vet is invoked during scan

GitHub Action Input Example Value Notes
policy policies/sample.yml Path to vet YAML policy file (filter suite)
exception-file config/exceptions.yml Path to vet exception YAML file
trusted-registries https://r1.org, https://r2.org , separated string of registry base URLs

Support

Development

Refer to development documentation

About

GitHub Action for policy driven vetting of open source dependencies

safedep.io

Topics

devsecops software-composition-analysis policy-as-code supply-chain-security

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages