Skip to content
Dependency Review - Vulnerability

Improvements: #26

Sign in to view logs

Improvements:

Improvements: #26

Workflow file for this run

smartcontractkit/gha-org-workflows/.github/workflows/dependency-review-vulnerability.yml at ef1c15de132da0bcc34c45a6772d76e43fcf13a4
name: Dependency Review - Vulnerability
###
# This workflow analyzes dependencies introduced by pull requests to help identify security vulnerabilities.
#
# To override the default configuration preset, set the `DEPENDENCY_REVIEW_VULNERABILITY_CONFIG_PRESET` variable in the repository settings.
# The default preset is "vulnerability-high". This preset has this behavior:
#
# Fail if a dependency is found in the dependency tree with a high severity or greater.
###
on:
merge_group:
pull_request:
permissions: {}
jobs:
vulnerability:
name: Vulnerabilities
permissions:
contents: read
runs-on: ubuntu-latest
# Skip on merge group events
if: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false
- name: Choose config preset
id: preset
env:
DEFAULT_PRESET: 'vulnerability-high'
OVERRIDE_PRESET: ${{ vars.DEPENDENCY_REVIEW_VULNERABILITY_CONFIG_PRESET }}
ALLOWED_PRESETS: 'vulnerability-high vulnerability-high-cve-2026-34040'
run: |
if [ -z "${OVERRIDE_PRESET:-}" ]; then
echo "Using default config preset: $DEFAULT_PRESET"
CONFIG_PRESET="$DEFAULT_PRESET"
else
if echo " $ALLOWED_PRESETS " | grep -q " $OVERRIDE_PRESET "; then
echo "Using override config preset: $OVERRIDE_PRESET"
CONFIG_PRESET="$OVERRIDE_PRESET"
else
echo "::warning::Invalid override preset '$OVERRIDE_PRESET'. Falling back to default '$DEFAULT_PRESET'."
CONFIG_PRESET="$DEFAULT_PRESET"
fi
fi
echo "preset=$CONFIG_PRESET" | tee -a "$GITHUB_OUTPUT"
- name: Dependency Review
uses: smartcontractkit/.github/actions/dependency-review@dependency-review/v2
with:
config-preset: ${{ steps.preset.outputs.preset }}