Dependency Security Scanner

Dependency Security Scanner - Reusable Workflow

COMPOUND WRAPPER: Runs OSV + Dependency Review scanners in parallel. All scanning logic is in: - .github/actions/scanner-osv/action.yml - .github/actions/scanner-dependency-review/action.yml

Note: Dependency Review only works on pull_request events. On other triggers it skips gracefully with a warning annotation.

For GHES users: Use the composite actions directly instead of this workflow.

uses: huntridge-labs/argus/.github/workflows/dependency-scan.yml@0.6.7

Triggers

Manual dispatch
Reusable (called by other workflows)

Permissions

Scope	Access
`contents`	`read`
`security-events`	`write`
`actions`	`read`
`pull-requests`	`write`

Inputs

Input	Description	Required	Default
`scan_path`	Path to scan for lockfiles and dependency manifests string	No	`.`
`lockfile`	Specific lockfile path to scan (auto-discovers if empty) string	No	`—`
`recursive`	Scan subdirectories recursively for lockfiles boolean	No	`True`
`enable_code_security`	Whether GitHub Code Security is enabled for this repository boolean	No	`False`
`fail_on_severity`	Fail if findings at or above this severity. Options: none, low, medium, high, critical. string	No	`none`
`post_pr_comment`	Post results as PR comment boolean	No	`True`
`vulnerability_check`	Dependency Review: enable vulnerability checking boolean	No	`True`
`license_check`	Dependency Review: enable license compliance checking boolean	No	`False`
`allow_licenses`	Dependency Review: comma-separated SPDX license identifiers to allow string	No	`—`
`deny_licenses`	Dependency Review: comma-separated SPDX license identifiers to deny string	No	`—`

Jobs

`osv-scan` — OSV Dependency Scan

Runs on: ubuntu-latest · Timeout: 15 minutes · Continue on error: Yes

Steps:

Checkout repository — actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
Run OSV Scanner — huntridge-labs/argus/.github/actions/scanner-osv@0.6.7

Actions used:

🔗 scanner-osv — OSV Dependency Scanner

`dependency-review` — Dependency Review