-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supporting whitelisting CVE's / Dependencies #133
Comments
@AtzeDeVries this sounds like something we could do in a future. What format do you envision to specify the dependencies? |
I thought about having some config which sits with the code (so not in .github dir) which contains a whitelist (or ignorelist) which at least contains
And also i don't now how the CVE's on dependencies work, but i guess CVE's on a dependency can also be updated (added text, change of severity) so it would be nice to link the ignore a certain version of the CVE. |
We'll likely move our config options (licenses and allow/denylist) to an external config file in the upcoming months to make this Action easier to install in big organizations. Will take a look at this when we do the migration. |
Thnx for taking a look at it! |
I don't see how this can be fully utilized without whitelisting really, looks like a must for anything beyond the MVP phase. upd: well, maybe the GHA check can't be enforced really without whitelisting is what I mean, the action itself is pretty useful as it is 🙂 but making this check required would be really nice |
@LiuVII what do you think about adding a new config option (a list called If you need help getting a PR started please let me know! |
It would be nice to be able to ignore / whitelist certain dependencies. This way we can keep working if no fix exist yet/
The text was updated successfully, but these errors were encountered: