actions · tspascoal · Aug 2, 2022 · Aug 7, 2022
@@ -6,6 +6,28 @@ The action is available for all public repositories, as well as private reposito
 
 <img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
 
+## Upgrading from V2: Breaking changes
+
+Version introduced two breaking changes.
+
+### Required permission
+
+If you are restricting the workflow or job [permissions](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) for `GITHUB_TOKEN` you will need to add the `checks` with write permissions:
+
+```
+permissions:
+  checks: write
+```
+
+If you are using a custom token with `repo-token` parameter, you will need to make sure the token has `checks` **write** permission.
+
+### Action Failing
+
+The action no longer fails if a vulnerable dependency or a policy violation is found.
+
+If you want to stop your pull request from being merge you can make the `Dependency Review Dependencies` and/or the `Dependency Review Licenses` required in your [protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
+
+If you want to keep the old behavior (action failed on a violation) you can set the `fail-on-violation` parameter to true.
 
 ## Installation
 
@@ -58,6 +80,7 @@ jobs:
 ```
 
 ## Configuration
+
 You can pass additional options to the Dependency Review
 Action using your workflow file. Here's an example workflow with
 all the possible configurations:
@@ -86,11 +109,20 @@ jobs:
           #
           # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
           # deny-licenses: LGPL-2.0, BSD-2-Clause
+          #
+          # The name of vulnerabilities check. The check will fail if vulnerabilities are found.
+          # check-name-vulnerabilities: 'Dependency Review Vulnerabilities'
+          #
+          # The name of policies check. The check will fail if non allowed policies are found.
+          # check-name-licenses: 'Dependency Review Policies'
+          #
+          # Fail the action if violation(s) are found (either vulnerability or licenses)
+          # fail-on-violation: false
 ```
 
 ### Vulnerability Severity
 
-By default the action will fail on any pull request that contains a
+By default the `Dependency Review Vulnerabilities` check will fail on any pull request that contains a
 vulnerable dependency, regardless of the severity level. You can override this behavior by
 using the `fail-on-severity` option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: `critical`, `high`, `moderate`, or `low`. The
 action defaults to `low`.
@@ -104,13 +136,18 @@ This example will only fail on pull requests with `critical` and `high` vulnerab
     fail-on-severity: high
 ```
 
+> If you want to fail the action when vulnerable packages are found, set the `fail-on-violation` parameter to true.
+
 ### Licenses
 
-You can set the action to fail on pull requests based on the licenses of the dependencies
-they introduce. With `allow-licenses` you can define the list of licenses
+If non allowed licenses are found, the `Dependency Review Policies` will fail.
+
+With `allow-licenses` you can define the list of licenses
 your repository will accept. Alternatively, you can use `deny-licenses` to only
 forbid a subset of licenses. These options are not supported on GHES.
 
+> If you want to fail the action when non allowed license violations are found, set the `fail-on-violation` parameter to true.
+
 You can use the [Licenses
 API](https://docs.github.com/en/rest/licenses) to see the full list of
 supported licenses. Use the `spdx_id` field for every license you want
@@ -145,7 +182,14 @@ action won't fail**.
 
 ## Blocking pull requests
 
-The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
+The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check(s) to pass before merging. The action will emit two checks (the names can be overriden):
+
+- `Dependency Review Vulnerabilities` If vulnerabilities are found the check will fail, the check details will list in a tabular fashions the packages (grouped by manifest) with vulneralities, along with the vulnerability name and severity.
+- `Dependency Review Policies` If non allowed licenses are found the check will fail. the check details will list in a tabular fashion the list of packages that have non allowed licenses as well as packages for which GitHub doesn't has license information.
+
+<img src="https://user-images.githubusercontent.com/7847935/183286441-4e17e46c-75e7-4e30-a7b1-70db53ed18fe.png">
+
+For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
 
 ## Getting help
 
@@ -159,4 +203,5 @@ We are grateful for any contributions made to this project.
 Please read [CONTRIBUTING.MD](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md) to get started.
 
 ## License
+
 This project is released under the [MIT License](https://github.com/actions/dependency-review-action/blob/main/LICENSE).
@@ -10,9 +10,11 @@ function setInput(input: string, value: string) {
 // We want a clean ENV before each test. We use `delete`
 // since we want `undefined` values and not empty strings.
 function clearInputs() {
-  delete process.env['INPUT_FAIL-ON-SEVERITY']
-  delete process.env['INPUT_ALLOW-LICENSES']
-  delete process.env['INPUT_DENY-LICENSES']
+  for (var key of Object.keys(process.env)) {
+    if (key.startsWith('INPUT_')) {
+      delete process.env[key]
+    }
+  }
 }
 
 beforeEach(() => {
@@ -27,10 +29,18 @@ test('it defaults to low severity', async () => {
 test('it reads custom configs', async () => {
   setInput('fail-on-severity', 'critical')
   setInput('allow-licenses', ' BSD, GPL 2')
+  setInput('fail-on-violation', 'true')
+  setInput('check-name-vulnerabilities', 'custom check name vulnerabilities')
+  setInput('check-name-licenses', 'custom check name licenses')
 
   const options = readConfig()
   expect(options.fail_on_severity).toEqual('critical')
   expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
+  expect(options.fail_on_violation).toBeTruthy()
+  expect(options.check_name_vulnerability).toEqual(
+    'custom check name vulnerabilities'
+  )
+  expect(options.check_name_license).toEqual('custom check name licenses')
 })
 
 test('it defaults to empty allow/deny lists ', async () => {
@@ -40,6 +50,12 @@ test('it defaults to empty allow/deny lists ', async () => {
   expect(options.deny_licenses).toEqual(undefined)
 })
 
+test('it defaults to false fail on violation', async () => {
+  const options = readConfig()
+
+  expect(options.fail_on_violation).toBeFalsy()
+})
+
 test('it raises an error if both an allow and denylist are specified', async () => {
   setInput('allow-licenses', 'MIT')
   setInput('deny-licenses', 'BSD')

@@ -16,6 +16,16 @@ inputs:
   deny-licenses:
     description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
     required: false
+  check-name-vulnerabilities:
+    description: The name of vulnerabilities check
+    required: false
+  check-name-licenses:
+    description: The name of the licenses check
+    required: false
+  fail-on-violation:
+    description: 'Should the action fail if a dependency or license violation is found. Disabled by default.'
+    default: 'false'
+    required: false
 runs:
   using: 'node16'
   main: 'dist/index.js'