Применение проверки зависимостей в организации

Проверка зависимостей позволяет перехватывать небезопасные зависимости перед их вводом в среду. Вы можете применить Действие проверки зависимостей в организации.

Кто может использовать эту функцию?

Organization owners can enforce use of the Действие проверки зависимостей in repositories within their organization.

Проверка зависимостей включена в общедоступных репозиториях. Кроме того, проверка зависимостей доступна в частных репозиториях, принадлежащих организациям, которые используют GitHub Enterprise Cloud и имеют лицензию на GitHub Advanced Security. Дополнительные сведения см. в разделе Сведения о GitHub Advanced Security.

В этой статье

About dependency review enforcement

You can use the dependency-review-action in your repository to enforce dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. For more information, see "About dependency review."

You can enforce the use of the dependency review action in your organization by setting up a repository ruleset that will require the dependency-review-action workflow to pass before pull requests can be merged. Repository rulesets are rule settings that allow you to control how users can interact with selected branches and tags in your repositories. For more information, see "About rulesets" and "Require workflows to pass before merging."

Prerequisites

You need to add the dependency review action to one of the repositories in your organization, and configure the action. For more information, see "Configuring the dependency review action."

Enforcing dependency review for your organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click Settings.

  3. In the left sidebar, in the "Code, planning, and automation" section, click Repository, then click Rulesets.

    Screenshot of an organization's settings page. In the sidebar, a link labeled "Rulesets" is outlined in orange.

  4. Click New branch ruleset.

  5. Set Enforcement status to Active.

  6. Optionally, you can target specific repositories in your organization. For more information, see "Choosing which repositories to target in your organization."

  7. In the "Rules" section, select the "Require workflows to pass before merging" option.

  8. In "Workflow configurations", click Add workflow.

  9. In the dialog, select the repository that you added the dependency review action to. For more information, see "Prerequisites."

  10. Select a branch and the workflow file for dependency review in the enhanced dialog.

    Screenshot of the Add required workflow dialog. You need to specify a repository, branch, and workflow.

  11. Click Create.