You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
GitHub Action
Trusty Dependency Risk Action
v0.0.5
Get a security and quality analysis of your dependencies with TrustyPkg!
- Check if the dependencies are malicious, deprecated or archived
- Assess the quality and security of your dependencies using TrustyPkg activity hueristics
- See if it contains a source of origin to a legitimate code repository using sigstore and Trusty's historical provenance algorithm
- Understand if the package is a possible typo squatting attack
- Get a list of recommended alternatives to the dependency
This action takes any added dependencies within a pull request and assesses their quality using the Trusty API. If any dependencies are found to be below a certain threshold (See details below), the action will fail.
If any dependencies are malicious, deprecated, or archived, the action will also fail.
Full Language Support (inline with Trusty):
- Python
- JavaScript
- Java
- Rust
- Go
To use this action, you can add the following to your workflow:
name: TrustyPkg Dependency Check
on:
pull_request:
branches:
- main
jobs:
trusty_pkg_check:
runs-on: ubuntu-latest
name: Check Dependencies with TrustyPkg
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: TrustyPkg Action
uses: stacklok/[email protected]
with:
global_threshold: 5
provenance_threshold: 5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Only one input is available for this action:
score_threshold
: The minimum score required for a dependency to be considered
high quality. Anything below this score will fail the action.