About dependency review enforcement
“依赖项审查操作”指的是可以在 GitHub Actions 上下文中报告拉取请求差异的具体操作。 请参阅 dependency-review-action。 可使用存储库中的 依赖项审查操作 对拉取请求强制实施依赖项审查。 该操作会扫描拉取请求中包版本更改引入的易受攻击的依赖项版本,并警告你相关的安全漏洞。 这样可以更好地了解拉取请求中发生的变化,并帮助防止漏洞添加到存储库中。 For more information, see 关于依赖项评审.
You can enforce the use of the 依赖项审查操作 in your organization by setting up a repository ruleset that will require the dependency-review-action workflow to pass before pull requests can be merged. Repository rulesets are rule settings that allow you to control how users can interact with selected branches and tags in your repositories. For more information, see 关于规则集 and Require workflows to pass before merging.
Prerequisites
You need to add the 依赖项审查操作 to one of the repositories in your organization, and configure the action. For more information, see Configuring the dependency review action.
Enforcing dependency review for your organization
-
在 GitHub 的右上角,单击个人资料图片,然后单击“ Your organizations”****。
-
在组织旁边,单击“设置”。
-
在左边栏的“Code, planning, and automation”部分,单击“ Repository”,然后单击“Rulesets”********。
-
Click the New ruleset dropdown menu, and select New branch ruleset.
-
To help identify your ruleset and clarify its purpose, give the ruleset a name in Ruleset Name.
-
Set Enforcement status to Active.
-
Optionally, you can target specific repositories in your organization. For more information, see Choosing which repositories to target in your organization.
-
In the "Rules" section, select the "Require workflows to pass before merging" option.
-
In "Workflow configurations", click Add workflow.
-
In the dialog, select the repository that you added the 依赖项审查操作 to. For more information, see Prerequisites.
-
Select a branch and the workflow file for dependency review in the enhanced dialog.
-
Click Create.
