Skip to content

feat: dependency-review-vulnerability support per-repo override #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
erikburt merged 2 commits into from
Apr 2, 2026
Merged

feat: dependency-review-vulnerability support per-repo override #28

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e935445
feat: dependency-review-vulnerability support per-repo override
erikburt Apr 2, 2026
25dc09c
fix: add allow-list so people can't override to random stuff
erikburt Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 25 additions & 3 deletions .github/workflows/dependency-review-vulnerability.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Dependency Review - Vulnerability
###
# This workflow analyzes dependencies introduced by pull requests to help identify security vulnerabilities.
#
# To override the default configuration preset, set the `DEPENDENCY_REVIEW_CONFIG_PRESET` variable in the repository settings.
# To override the default configuration preset, set the `DEPENDENCY_REVIEW_VULNERABILITY_CONFIG_PRESET` variable in the repository settings.
# The default preset is "vulnerability-high". This preset has this behavior:
#
# Fail if a dependency is found in the dependency tree with a high severity or greater.
Expand All @@ -24,12 +24,34 @@ jobs:
# Skip on merge group events
if: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false

- name: Choose config preset
id: preset
env:
DEFAULT_PRESET: 'vulnerability-high'
OVERRIDE_PRESET: ${{ vars.DEPENDENCY_REVIEW_VULNERABILITY_CONFIG_PRESET }}
ALLOWED_PRESETS: 'vulnerability-high vulnerability-high-cve-2026-34040'
run: |
if [ -z "${OVERRIDE_PRESET:-}" ]; then
echo "Using default config preset: $DEFAULT_PRESET"
CONFIG_PRESET="$DEFAULT_PRESET"
else
if echo " $ALLOWED_PRESETS " | grep -q " $OVERRIDE_PRESET "; then
echo "Using override config preset: $OVERRIDE_PRESET"
CONFIG_PRESET="$OVERRIDE_PRESET"
else
echo "::warning::Invalid override preset '$OVERRIDE_PRESET'. Falling back to default '$DEFAULT_PRESET'."
CONFIG_PRESET="$DEFAULT_PRESET"
fi
fi

echo "preset=$CONFIG_PRESET" | tee -a "$GITHUB_OUTPUT"

- name: Dependency Review
uses: smartcontractkit/.github/actions/dependency-review@dependency-review/v2
with:
config-preset: vulnerability-high
config-preset: ${{ steps.preset.outputs.preset }}
Loading