Skip to content

Component Detection dependency submission action

Actions
Upload information about your dependencies to the GitHub dependency graph using dependency submission API.
v0.0.4
Latest
By advanced-security
Verified creator
Star (16)

Tags

 (2)
securitydependency-management

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

Component detection dependency submission action

This GitHub Action runs the microsoft/component-detection library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems.

Example workflow

name: Component Detection

on:
  workflow_dispatch:
  push:

permissions: 
  id-token: write
  contents: write

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Component detection 
        uses: advanced-security/[email protected]

Configuration options

Parameter Description Example
filePath The path to the directory containing the environment files to upload. Defaults to Actions working directory. '.'
directoryExclusionList Filters out specific directories following a minimatch pattern. test
detectorArgs Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. Pip=EnableIfDefaultOff
dockerImagesToScan Comma separated list of docker image names or hashes to execute container scanning on ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab
detectorsFilter A comma separated list with the identifiers of the specific detectors to be used. Pip, RustCrateDetector

For more information: https://github.com/microsoft/component-detection

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

Contributors (7)

@jhutchings1@dependabot@lseppala@felickz@juxtin@hmaurer@elireisman

Resources

Component Detection dependency submission action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Upload information about your dependencies to the GitHub dependency graph using dependency submission API.
v0.0.4
Latest
By advanced-security

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

Tags

 (2)
securitydependency-management

Contributors (7)

@jhutchings1@dependabot@lseppala@felickz@juxtin@hmaurer@elireisman

Resources

Component Detection dependency submission action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.