Important! The content of this resource is provided -as is- for educational purposes and it is not part of GitHub's official documentation. For GitHub's Official Documentation, please visit GitHub Docs
Rolling Out Dependency Review Across Your Entire Organization
-
Create a new repository/utilize an existing repository to serve as the centralized home for the Dependency Review GitHub Action reusable workflow
-
Optional - Control member access to this repository
-
Adjust access settings so other repositories can access the workflow
-
Bring in Dependency Review from GitHub Marketplace
- Repo Settings --> Code Scanning --> New Tool --> Search “Dependency Review” --> Configure
-
Configure optional parameters for configuration (fail-on severity, allow or deny-license list) and commit to your repo
-
Create a ruleset at the Organization to require this workflow across repos
- Configure your Target Repositories to All Repositories
- Choose “Require workflows to pass before merging” rule
- Select the Dependency Review workflow
-
Optional - Continue to use this new repo to centrally maintain other GitHub Action workflows
These steps will enable and enforce Dependency Review across your Organization. You do not need to do any per-repo configuration for this.