Apr 11, 2022
GitHub can now alert of supply-chain bugs in new dependencies
Posted by Genevieve Klien in category: security
GitHub can now block and alert you of pull requests that introduce new dependencies impacted by known supply chain vulnerabilities.
This is achieved by adding the new Dependency Review GitHub Action to an existing workflow in one of your projects. You can do it through your repository’s Actions tab under Security or straight from the GitHub Marketplace.
It works with the help of an API endpoint that will help you understand the security impact of dependency changes before adding them to your repository at every pull request.