@@ -3,7 +3,7 @@ name: Dependency Review - Vulnerability
33# ##
44# This workflow analyzes dependencies introduced by pull requests to help identify security vulnerabilities.
55#
6- # To override the default configuration preset, set the `DEPENDENCY_REVIEW_CONFIG_PRESET ` variable in the repository settings.
6+ # To override the default configuration preset, set the `DEPENDENCY_REVIEW_VULNERABILITY_CONFIG_PRESET ` variable in the repository settings.
77# The default preset is "vulnerability-high". This preset has this behavior:
88#
99# Fail if a dependency is found in the dependency tree with a high severity or greater.
@@ -24,12 +24,34 @@ jobs:
2424 # Skip on merge group events
2525 if : ${{ github.event_name == 'pull_request' }}
2626 steps :
27- - uses : actions/checkout@v4
27+ - uses : actions/checkout@v6
2828 with :
2929 fetch-depth : 0
3030 persist-credentials : false
3131
32+ - name : Choose config preset
33+ id : preset
34+ env :
35+ DEFAULT_PRESET : ' vulnerability-high'
36+ OVERRIDE_PRESET : ${{ vars.DEPENDENCY_REVIEW_VULNERABILITY_CONFIG_PRESET }}
37+ ALLOWED_PRESETS : ' vulnerability-high vulnerability-high-cve-2026-34040'
38+ run : |
39+ if [ -z "${OVERRIDE_PRESET:-}" ]; then
40+ echo "Using default config preset: $DEFAULT_PRESET"
41+ CONFIG_PRESET="$DEFAULT_PRESET"
42+ else
43+ if echo " $ALLOWED_PRESETS " | grep -q " $OVERRIDE_PRESET "; then
44+ echo "Using override config preset: $OVERRIDE_PRESET"
45+ CONFIG_PRESET="$OVERRIDE_PRESET"
46+ else
47+ echo "::warning::Invalid override preset '$OVERRIDE_PRESET'. Falling back to default '$DEFAULT_PRESET'."
48+ CONFIG_PRESET="$DEFAULT_PRESET"
49+ fi
50+ fi
51+
52+ echo "preset=$CONFIG_PRESET" | tee -a "$GITHUB_OUTPUT"
53+
3254name : Dependency Review
3355 uses : smartcontractkit/.github/actions/dependency-review@dependency-review/v2
3456 with :
35- config-preset : vulnerability-high
57+ config-preset : ${{ steps.preset.outputs.preset }}
0 commit comments