Dependency Security Scanner
Dependency Security Scanner - Reusable Workflow
COMPOUND WRAPPER: Runs OSV (via argus CLI) + Dependency Review scanners in parallel.
OSV scanning: argus/scanners/osv.py (invoked via python -m argus scan osv)
Dependency Review: .github/actions/scanner-dependency-review/action.yml (GitHub-native)
Note: Dependency Review only works on pull_request events. On other triggers it skips gracefully with a warning annotation.
For GHES users: Use the composite actions directly instead of this workflow.
uses: huntridge-labs/argus/.github/workflows/dependency-scan.yml@1.1.0
Triggers
- Manual dispatch
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
security-events |
write |
actions |
read |
pull-requests |
write |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
scan_path |
Path to scan for lockfiles and dependency manifests string | No | . |
lockfile |
Specific lockfile path to scan (auto-discovers if empty) string | No | โ |
recursive |
Scan subdirectories recursively for lockfiles boolean | No | True |
enable_code_security |
Whether GitHub Code Security is enabled for this repository boolean | No | False |
fail_on_severity |
Fail if findings at or above this severity. Options: none, low, medium, high, critical. string | No | none |
post_pr_comment |
Post results as PR comment boolean | No | True |
vulnerability_check |
Dependency Review: enable vulnerability checking boolean | No | True |
license_check |
Dependency Review: enable license compliance checking boolean | No | False |
allow_licenses |
Dependency Review: comma-separated SPDX license identifiers to allow string | No | โ |
deny_licenses |
Dependency Review: comma-separated SPDX license identifiers to deny string | No | โ |
Jobs
osv-scan โ OSV Dependency Scan
Runs on: ubuntu-latest ยท Timeout: 15 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Set up Python โ
actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 - Install argus dependencies
- Run OSV Scanner via argus CLI
dependency-review โ Dependency Review
Runs on: ubuntu-latest ยท Timeout: 15 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Run Dependency Review Scanner โ
huntridge-labs/argus/.github/actions/scanner-dependency-review@1.1.0
Actions used:
- ๐
scanner-dependency-reviewโ Dependency Review Scanner
All Composite Actions Referenced
- ๐
scanner-dependency-reviewโ Dependency Review Scanner