From 6d5a799f8ca82ab000a901340b1fe894dd8eb140 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 02:50:30 +0530 Subject: [PATCH 01/10] Add dependency review workflow to scan for license violations and CVEs --- .../workflows/dependency-review-action.yml | 144 ++++++++++++++++++ 1 file changed, 144 insertions(+) create mode 100644 .github/workflows/dependency-review-action.yml diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml new file mode 100644 index 0000000..1f9604e --- /dev/null +++ b/.github/workflows/dependency-review-action.yml @@ -0,0 +1,144 @@ +# Automatically scans every PR for newly added dependencies +# Blocks merges on license violations (GPL/LGPL/restrictive) +# Flags CVEs with moderate+ severity +# Docs: https://github.com/actions/dependency-review-action + + +name: Dependency Review + +on: + pull_request: + branches: + - main + - master + - develop + # Only re-run when dependency manifests actually change + paths: + # JavaScript / TypeScript / Node + - "package.json" + - "package-lock.json" + - "yarn.lock" + - "pnpm-lock.yaml" + # Python + - "requirements*.txt" + - "Pipfile.lock" + - "pyproject.toml" + - "poetry.lock" + # Rust + - "Cargo.toml" + - "Cargo.lock" + # Go + - "go.mod" + - "go.sum" + # Java / Kotlin / Android + - "pom.xml" + - "build.gradle" + - "build.gradle.kts" + - "*.gradle" + # Ruby + - "Gemfile.lock" + # Docker / Infrastructure + - "Dockerfile" + - "docker-compose*.yml" + # GitHub Actions themselves + - ".github/workflows/*.yml" + +permissions: + contents: read # Required to read the repo content +# pull-requests: write # Required to post review comments on the PR + +jobs: + dependency-review: + name: Dependency & License Review + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Run Dependency Review + uses: actions/dependency-review-action@v4 + with: + # ── VULNERABILITY SETTINGS ────────────────────────── + # Fail if any newly added dependency has a CVE at this + # severity level or above. Options: low | moderate | high | critical + fail-on-severity: moderate + + # Also fail if CVEs exist but no fix is yet available + # Useful for blocking known-bad packages even if unpatched + fail-on-scopes: runtime + + # ── LICENSE ENFORCEMENT ───────────────────────────── + # DENY: Copyleft & restrictive licenses that conflict with + # open-source permissive projects at AOSSIE. + # Full SPDX list: https://spdx.org/licenses/ + deny-licenses: >- + GPL-2.0, + GPL-3.0, + LGPL-2.0, + LGPL-2.1, + LGPL-3.0, + AGPL-1.0, + AGPL-3.0, + EUPL-1.0, + EUPL-1.1, + EUPL-1.2, + CC-BY-NC-1.0, + CC-BY-NC-2.0, + CC-BY-NC-2.5, + CC-BY-NC-3.0, + CC-BY-NC-4.0, + SSPL-1.0 + + # ALLOW EXCEPTIONS: Packages that are explicitly approved + # even if they match a denied license pattern. + # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version" + # ── Edit this list when adding approved exceptions ── + allow-dependencies-licenses: >- + pkg:npm/@aossie/core, + pkg:npm/@myorg/mypackage + + # ── SCOPE FILTERING ───────────────────────────────── + # Skip dev-only dependencies (test frameworks, linters, etc.) + # They are not shipped to production so risk is lower. + # Set to "all" to also scan devDependencies. + # Options: runtime | development | all + # Using "runtime" keeps noise low in template repos + # where dev deps vary wildly by project type. + # Uncomment the line below to enforce on devDeps too: + # deny-on-scopes: development + allow-ghsas: "" # Leave empty to block all known GHSAs + + # ── OUTPUT & COMMENTS ──────────────────────────────── + # Post a detailed summary comment directly on the PR + # comment-summary-in-pr: always + + # Warn (don't fail) for packages with no license info. + # Change to "true" to block unlicensed packages. + warn-only: false + + # ── VULNERABILITY DATABASE ─────────────────────────── + # Use the GitHub Advisory Database (GHSA) as the source. + # This is the default; listed explicitly for clarity. + # vulnerability-check: true # default + + # Post a status summary badge to PR + # summarize: + # name: Post Review Summary + # runs-on: ubuntu-latest + # needs: dependency-review + # if: always() + + # steps: + # - name: 📋 Summarize Result + # run: | + # if [ "${{ needs.dependency-review.result }}" == "success" ]; then + # echo "✅ Dependency review passed — no license violations or CVEs found." + # else + # echo "❌ Dependency review failed — check the PR comment for details." + # echo "" + # echo "Common fixes:" + # echo " • Replace GPL-licensed packages with MIT/Apache-2.0 equivalents" + # echo " • Upgrade vulnerable packages to patched versions" + # echo " • Add an explicit exception to allow-dependencies-licenses if intentional" + # fi \ No newline at end of file From 670e7085acd154d8d29eb4576645261a026f0b07 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 03:02:00 +0530 Subject: [PATCH 02/10] Update .github/workflows/dependency-review-action.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- .github/workflows/dependency-review-action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index 1f9604e..3e9a1ba 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -64,8 +64,8 @@ jobs: # severity level or above. Options: low | moderate | high | critical fail-on-severity: moderate - # Also fail if CVEs exist but no fix is yet available - # Useful for blocking known-bad packages even if unpatched + # Which dependency scopes to check for vulnerabilities + # Options: runtime | development | unknown (comma-separated) fail-on-scopes: runtime # ── LICENSE ENFORCEMENT ───────────────────────────── From cca5fc79ce41bad11fc3a27af5811e003e637620 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 03:02:35 +0530 Subject: [PATCH 03/10] Update .github/workflows/dependency-review-action.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- .github/workflows/dependency-review-action.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index 3e9a1ba..1a5b3e6 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -94,9 +94,13 @@ jobs: # even if they match a denied license pattern. # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version" # ── Edit this list when adding approved exceptions ── - allow-dependencies-licenses: >- - pkg:npm/@aossie/core, - pkg:npm/@myorg/mypackage + # ALLOW EXCEPTIONS: Packages that are explicitly approved + # even if they match a denied license pattern. + # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version" + # ── Edit this list when adding approved exceptions ── + # allow-dependencies-licenses: >- + # pkg:npm/example-package, + # pkg:pypi/example-package # ── SCOPE FILTERING ───────────────────────────────── # Skip dev-only dependencies (test frameworks, linters, etc.) From 67d9472eb147f8173d84e48b9a6a3d297b588a5d Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 03:07:12 +0530 Subject: [PATCH 04/10] Update denied licenses in dependency review workflow for clarity and specificity --- .../workflows/dependency-review-action.yml | 39 +++++++++++-------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index 1a5b3e6..6cfba59 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -73,22 +73,29 @@ jobs: # open-source permissive projects at AOSSIE. # Full SPDX list: https://spdx.org/licenses/ deny-licenses: >- - GPL-2.0, - GPL-3.0, - LGPL-2.0, - LGPL-2.1, - LGPL-3.0, - AGPL-1.0, - AGPL-3.0, - EUPL-1.0, - EUPL-1.1, - EUPL-1.2, - CC-BY-NC-1.0, - CC-BY-NC-2.0, - CC-BY-NC-2.5, - CC-BY-NC-3.0, - CC-BY-NC-4.0, - SSPL-1.0 + GPL-2.0-only, + GPL-2.0-or-later, + GPL-3.0-only, + GPL-3.0-or-later, + LGPL-2.0-only, + LGPL-2.0-or-later, + LGPL-2.1-only, + LGPL-2.1-or-later, + LGPL-3.0-only, + LGPL-3.0-or-later, + AGPL-1.0-only, + AGPL-1.0-or-later, + AGPL-3.0-only, + AGPL-3.0-or-later, + EUPL-1.0, + EUPL-1.1, + EUPL-1.2, + CC-BY-NC-1.0, + CC-BY-NC-2.0, + CC-BY-NC-2.5, + CC-BY-NC-3.0, + CC-BY-NC-4.0, + SSPL-1.0 # ALLOW EXCEPTIONS: Packages that are explicitly approved # even if they match a denied license pattern. From 6e1b3b33938e62bc8a12e563c9238f64cf87f137 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 03:08:40 +0530 Subject: [PATCH 05/10] Update .github/workflows/dependency-review-action.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- .github/workflows/dependency-review-action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index 6cfba59..29040ef 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -124,8 +124,8 @@ jobs: # Post a detailed summary comment directly on the PR # comment-summary-in-pr: always - # Warn (don't fail) for packages with no license info. - # Change to "true" to block unlicensed packages. + # Fail (don't just warn) on license violations. + # Change to "true" to only warn without failing. warn-only: false # ── VULNERABILITY DATABASE ─────────────────────────── From 1d733ad5a3d50ea5b87626a6d30fefa55bff381a Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 19:10:34 +0530 Subject: [PATCH 06/10] Update dependency review workflow to specify allowed licenses for clarity --- .../workflows/dependency-review-action.yml | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index 29040ef..02c0371 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -72,30 +72,30 @@ jobs: # DENY: Copyleft & restrictive licenses that conflict with # open-source permissive projects at AOSSIE. # Full SPDX list: https://spdx.org/licenses/ - deny-licenses: >- - GPL-2.0-only, - GPL-2.0-or-later, - GPL-3.0-only, - GPL-3.0-or-later, - LGPL-2.0-only, - LGPL-2.0-or-later, - LGPL-2.1-only, - LGPL-2.1-or-later, - LGPL-3.0-only, - LGPL-3.0-or-later, - AGPL-1.0-only, - AGPL-1.0-or-later, - AGPL-3.0-only, - AGPL-3.0-or-later, - EUPL-1.0, - EUPL-1.1, - EUPL-1.2, - CC-BY-NC-1.0, - CC-BY-NC-2.0, - CC-BY-NC-2.5, - CC-BY-NC-3.0, - CC-BY-NC-4.0, - SSPL-1.0 + allow-licenses: >- + MIT, + Apache-2.0, + BSD-2-Clause, + BSD-3-Clause, + ISC, + CC0-1.0, + Unlicense, + GPL-2.0-only, + GPL-2.0-or-later, + GPL-3.0-only, + GPL-3.0-or-later, + LGPL-2.0-only, + LGPL-2.0-or-later, + LGPL-2.1-only, + LGPL-2.1-or-later, + LGPL-3.0-only, + LGPL-3.0-or-later, + AGPL-3.0-only, + AGPL-3.0-or-later, + MPL-2.0, + EUPL-1.2, + Python-2.0, + PSF-2.0 # ALLOW EXCEPTIONS: Packages that are explicitly approved # even if they match a denied license pattern. From 2b3906678e2a6a7afeb7e4d9a94c18a9a7fce7b4 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 19:56:18 +0530 Subject: [PATCH 07/10] Refine dependency review workflow comments and add support for YAML file extensions --- .github/workflows/dependency-review-action.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index 02c0371..411a7e2 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -1,5 +1,6 @@ # Automatically scans every PR for newly added dependencies -# Blocks merges on license violations (GPL/LGPL/restrictive) +# Blocks merges if a dependency license is NOT in the allow-list +# Also AOSSIE not only is favorable to copyleft licenses but prefers them. # Flags CVEs with moderate+ severity # Docs: https://github.com/actions/dependency-review-action @@ -40,8 +41,10 @@ on: # Docker / Infrastructure - "Dockerfile" - "docker-compose*.yml" + - "docker-compose*.yaml" # GitHub Actions themselves - ".github/workflows/*.yml" + - ".github/workflows/*.yaml" permissions: contents: read # Required to read the repo content @@ -53,9 +56,6 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - name: Run Dependency Review uses: actions/dependency-review-action@v4 with: @@ -69,8 +69,8 @@ jobs: fail-on-scopes: runtime # ── LICENSE ENFORCEMENT ───────────────────────────── - # DENY: Copyleft & restrictive licenses that conflict with - # open-source permissive projects at AOSSIE. + # ALLOW: Only these licenses are permitted in new dependencies. + # PRs introducing any other license will fail automatically. # Full SPDX list: https://spdx.org/licenses/ allow-licenses: >- MIT, @@ -97,10 +97,6 @@ jobs: Python-2.0, PSF-2.0 - # ALLOW EXCEPTIONS: Packages that are explicitly approved - # even if they match a denied license pattern. - # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version" - # ── Edit this list when adding approved exceptions ── # ALLOW EXCEPTIONS: Packages that are explicitly approved # even if they match a denied license pattern. # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version" From 7c105b1d1a7d969311b13bcf54d0cc9e7f8ba915 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 20:56:26 +0530 Subject: [PATCH 08/10] Refactor comments in dependency review workflow for clarity and update exception handling instructions --- .github/workflows/dependency-review-action.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index 411a7e2..a880684 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -1,6 +1,5 @@ # Automatically scans every PR for newly added dependencies # Blocks merges if a dependency license is NOT in the allow-list -# Also AOSSIE not only is favorable to copyleft licenses but prefers them. # Flags CVEs with moderate+ severity # Docs: https://github.com/actions/dependency-review-action @@ -97,8 +96,8 @@ jobs: Python-2.0, PSF-2.0 - # ALLOW EXCEPTIONS: Packages that are explicitly approved - # even if they match a denied license pattern. + # PER-PACKAGE EXCEPTIONS: Packages excluded from license checks entirely. + # Use for packages with unrecognized/non-standard license declarations. # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version" # ── Edit this list when adding approved exceptions ── # allow-dependencies-licenses: >- @@ -113,7 +112,7 @@ jobs: # Using "runtime" keeps noise low in template repos # where dev deps vary wildly by project type. # Uncomment the line below to enforce on devDeps too: - # deny-on-scopes: development + # fail-on-scopes: runtime, development allow-ghsas: "" # Leave empty to block all known GHSAs # ── OUTPUT & COMMENTS ──────────────────────────────── From 87c0c41d110ad0097c6562a1f41b16e951e2f8f7 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Wed, 18 Mar 2026 23:18:44 +0530 Subject: [PATCH 09/10] Update dependency review workflow to use glob patterns for file paths --- .../workflows/dependency-review-action.yml | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index a880684..c9f8591 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -15,32 +15,32 @@ on: # Only re-run when dependency manifests actually change paths: # JavaScript / TypeScript / Node - - "package.json" - - "package-lock.json" - - "yarn.lock" - - "pnpm-lock.yaml" + - "**/package.json" + - "**/package-lock.json" + - "**/yarn.lock" + - "**/pnpm-lock.yaml" # Python - - "requirements*.txt" - - "Pipfile.lock" - - "pyproject.toml" - - "poetry.lock" + - "**/requirements*.txt" + - "**/Pipfile.lock" + - "**/pyproject.toml" + - "**/poetry.lock" # Rust - - "Cargo.toml" - - "Cargo.lock" + - "**/Cargo.toml" + - "**/Cargo.lock" # Go - - "go.mod" - - "go.sum" + - "**/go.mod" + - "**/go.sum" # Java / Kotlin / Android - - "pom.xml" - - "build.gradle" - - "build.gradle.kts" - - "*.gradle" + - "**/pom.xml" + - "**/build.gradle" + - "**/build.gradle.kts" + - "**/*.gradle" # Ruby - - "Gemfile.lock" + - "**/Gemfile.lock" # Docker / Infrastructure - - "Dockerfile" - - "docker-compose*.yml" - - "docker-compose*.yaml" + - "**/Dockerfile" + - "**/docker-compose*.yml" + - "**/docker-compose*.yaml" # GitHub Actions themselves - ".github/workflows/*.yml" - ".github/workflows/*.yaml" @@ -144,7 +144,7 @@ jobs: # echo "❌ Dependency review failed — check the PR comment for details." # echo "" # echo "Common fixes:" - # echo " • Replace GPL-licensed packages with MIT/Apache-2.0 equivalents" + # echo " • Replace dependencies using licenses not in allow-licenses" # echo " • Upgrade vulnerable packages to patched versions" # echo " • Add an explicit exception to allow-dependencies-licenses if intentional" # fi \ No newline at end of file From fea201702b6cb8d31feb3f04d29161cfdaa82760 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Thu, 19 Mar 2026 01:53:56 +0530 Subject: [PATCH 10/10] Enable OpenSSF Scorecard checks in dependency review workflow --- .github/workflows/dependency-review-action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/dependency-review-action.yml b/.github/workflows/dependency-review-action.yml index c9f8591..df977ee 100644 --- a/.github/workflows/dependency-review-action.yml +++ b/.github/workflows/dependency-review-action.yml @@ -127,6 +127,9 @@ jobs: # Use the GitHub Advisory Database (GHSA) as the source. # This is the default; listed explicitly for clarity. # vulnerability-check: true # default + # Add explicitly so teams know it's active + show-openssf-scorecard: true + warn-on-openssf-scorecard-level: 3 # Post a status summary badge to PR # summarize: