Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
alert-triangle

GitHub Action

Trusty Dependency Risk Action

v0.0.3 Pre-release

Trusty Dependency Risk Action

alert-triangle

Trusty Dependency Risk Action

Check the quality and safety of your dependencies on every pull request

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Trusty Dependency Risk Action

uses: stacklok/[email protected]

Learn more about this action in stacklok/trusty-action

Choose a version

Trusty Dependency Analysis Action

Get a security and quality analysis of your dependencies with TrustyPkg!

alt text

Features

  • Check if the dependencies are malicious, deprecated or archived
  • Assess the quality and security of your dependencies using TrustyPkg activity hueristics
  • See if it contains a source of origin to a legitimate code repository using sigstore and Trusty's historical provenance algorithm
  • Understand if the package is a possible typo squatting attack
  • Get a list of recommended alternatives to the dependency

Overview

This action takes any added dependencies within a pull request and assesses their quality using the Trusty API. If any dependencies are found to be below a certain threshold (See details below), the action will fail.

If any dependencies are malicious, deprecated, or archived, the action will also fail.

Full Language Support (inline with Trusty):

  • Python
  • JavaScript
  • Java
  • Rust
  • Go

Usage

To use this action, you can add the following to your workflow:

name: TrustyPkg Dependency Check

on:
  pull_request:
    branches:
      - main

jobs:
  trusty_pkg_check:
    runs-on: ubuntu-latest
    name: Check Dependencies with TrustyPkg
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: TrustyPkg Action
        uses: stacklok/[email protected]
        with:
          score_threshold: 5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Inputs

Only one input is available for this action:

score_threshold: The minimum score required for a dependency to be considered high quality. Anything below this score will fail the action.