README
¶
Trusty Dependency Analysis Action
Get a security and quality analysis of your dependencies with TrustyPkg!
Features
- Check if the dependencies are malicious, deprecated or archived
- Assess the quality and security of your dependencies using TrustyPkg activity hueristics
- See if it contains a source of origin to a legitimate code repository using sigstore and Trusty's historical provenance algorithm
- Understand if the package is a possible typo squatting attack
- Get a list of recommended alternatives to the dependency
Overview
This action takes any added dependencies within a pull request and assesses their quality using the Trusty API. If any dependencies are found to be below a certain threshold (See details below), the action will fail.
If any dependencies are malicious, deprecated, or archived, the action will also fail.
Full Language Support (inline with Trusty):
- Python
- JavaScript
- Java
- Rust
- Go
Usage
To use this action, you can add the following to your workflow:
name: TrustyPkg Dependency Check
on:
pull_request:
branches:
- main
jobs:
trusty_pkg_check:
runs-on: ubuntu-latest
name: Check Dependencies with TrustyPkg
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: TrustyPkg Action
uses: stacklok/trusty-action@v0.0.1
with:
score_threshold: 5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Inputs
Only one input is available for this action:
score_threshold: The minimum score required for a dependency to be considered
high quality. Anything below this score will fail the action.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.