Skip to content

chore: Add dependency-review security workflow#41

Open
cstoked wants to merge 1 commit intomasterfrom
add-dependency-review
Open

chore: Add dependency-review security workflow#41
cstoked wants to merge 1 commit intomasterfrom
add-dependency-review

Conversation

@cstoked
Copy link

@cstoked cstoked commented Sep 18, 2025

🔒 Adding Dependency Review Security Workflow

What is Dependency Review?

Dependency Review is a GitHub Actions workflow that automatically scans pull requests for security vulnerabilities in your project's dependencies. It analyzes changes to dependency files (like package.json, requirements.txt, go.mod, etc.) and alerts you to:

  • Known security vulnerabilities in new or updated dependencies
  • License compliance issues with added packages
  • Deprecated packages that should be avoided
  • Supply chain risks from suspicious package updates

Why This Matters

  • 🛡️ Proactive Security: Catch vulnerabilities before they reach production
  • 📊 Zero False Positives: Only flags real security issues in your dependencies
  • ⚡ Fast Feedback: Get security insights directly in your pull request
  • 🎯 Targeted Scanning: Only scans actual dependency changes, not your entire codebase

Why This Repository Was Selected

This repository has been automatically selected for dependency review because it contains:

  • Supported programming languages that benefit from dependency scanning
  • Package manager files indicating active dependency management
  • Active development with regular dependency updates

Common package managers we detected across SpotOn repositories include:

  • JavaScript/TypeScript: package.json, yarn.lock, pnpm-lock.yaml
  • Python: requirements.txt, Pipfile, pyproject.toml
  • Go: go.mod, go.sum
  • Java/Kotlin: pom.xml, build.gradle
  • Ruby: Gemfile
  • Rust: Cargo.toml
  • And more...

What This Adds

  • New workflow file: .github/workflows/dependency-review.yml
  • Automated PR checks: Runs on every pull request that modifies dependencies
  • Centralized configuration: Uses InfoSec-approved settings across all repositories
  • No code changes needed: Your existing development workflow remains unchanged

InfoSec Compliance

This workflow uses SpotOn's centralized security configuration maintained by the InfoSec team, ensuring:

  • Consistent security policies across all repositories
  • Up-to-date vulnerability databases
  • Compliance with company security standards
  • No additional secrets or tokens required in your repository

Questions? Reach out to the InfoSec team on slack at #infosec-talks or email at infosec@spoton.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cstoked