Skip to content
shield

GitHub Action

listen.dev Dependency Scan

v0.6.2 Latest version

listen.dev Dependency Scan

shield

listen.dev Dependency Scan

Real-time dependency insights in GitHub PRs 🐬

Installation

Copy and paste the following snippet into your .yml file.

              
- name: listen.dev Dependency Scan

              
  uses: listendev/action@v0.6.2
Learn more about this action in listendev/action

Choose a version

listendev/action

Get real-time dependency insights in your pull requests 🐬

image See demo video.

Usage

See action.yml.

Basic

steps:
  - uses: listendev/action@v0.6

Full

steps:
  - uses: listendev/action@v0.6
    with:
      # The Github API token.
      # Defaults to ${{ github.token }}
      token: "..."
      # The listen.dev JWT token.
      # Defaults to empty string.
      jwt: ${{ secrets.MY_JWT_TOKEN }}
      # Whether to enable the CI eavesdrop tool or not.
      # Works only on linux runners. Requires a valid `jwt` option.
      # Defaults to false.
      ci: "true|false"
      # The lstn version.
      # Defaults to the latest lstn release tag (recommended).
      lstn: "vX.Y.Z"
      # The working directory relative to the root one.
      # Defaults to the root directory.
      workdir: "."
      # The path to the YAML configuration file.
      # Or the path of the directory containing a .lstn.yaml file.
      # Defaults to empty.
      config: "..."
      # One or more reporting mechanisms (gh-pull-comment,gh-pull-review,gh-pull-check,pro)
      # Defaults to "gh-pull-comment" when there is no JWT input, to "pro" otherwise.
      reporter: "gh-pull-comment"
      # Addition lstn flags for power users
      lstn_flags: ""

Connect to listen.dev

Just create a secret and pass it to the jwt input...

steps:
  - uses: listendev/action@v0.6
    with:
      ci: true
      jwt: ${{ secrets.MY_LISTENDEV_JWT }}

This will instruct the action to report to listen.dev all the verdicts for all the dependencies of the package-lock.json file into the working directory.

When the action notices that the listen.dev JWT secret exists, it will automatically override the reporter to the pro one.

Because of the ci option set to true, it will also start the CI eavesdrop tool under the hoods. Notice it only works on linux runners.

Where to get your JWT token?

Get your API key from the project settings

Do you also want to also use another reporter together with the pro one? 
steps:
  - uses: listendev/action@v0.6
    with:
      jwt: ${{ secrets.MY_JWT }}
      lstn_flags: "--reporter gh-pull-comment"

Examples

Let's say you want the verdicts in JSON format...

steps:
  - uses: listendev/action@v0.6
    with:
      lstn_flags: "--json"

Let's say you only care for high severity verdicts...

steps:
  - uses: listendev/action@v0.6
    with:
      lstn: "v0.13.0"
      lstn_flags: "--select '@.severity == \"high\"'"

You can select the verdicts also with the select input.

Let's say we only care for dynamic instrumentation verdicts regarding processes...

steps:
  - uses: listendev/action@v0.6
    with:
      select: "(@.file =~ \"^dynamic\" && \"process\" in @.categories)"

Development

To develop this GitHub action you first need to install its dependencies:

npm run i

You can then use npm run build to compile it. Also, remember that we check on every pull request that you've run this command, as to avoid the dist/ directory to be out of sync.

You can also run unit tests locally with the npm run test command.

The CI makes extensive use of the official GitHub reusable workflows for developing actions following best practices (see the .github directory).

License

The scripts and documentation in this project are released under the Apache 2.0 license.

Contributions

Contributions are always welcome!

See contributor's guide.

Code of Conduct

Practice kindness. ✨

See our code of conduct.