This gh
extensions is designed to be used as a way to document what your workflows use where possible, as well as some security scanning tooling to look for potential vulnerabilities that could cause you issues.
- Read contents - This application needs to be able to read the contents of repositories (which may include private repos) to pull down the actions defined in them to generate an accurate graph, and properly scan them.
The graph-deps
subcommand is used to scan your dependencies and generate a GraphViz file to represent the relationships between dependencies within a workflow.
# Output graph to the default file name of `deps.graphviz`
gh actions-dependency-graph graph-deps testdata/test-workflow.yaml
# Outputs graph to a different file name
gh actions-dependency-graph graph-deps testdata/test-workflow.yaml -o test-workflow.graphviz
Like the graph-deps
subcommand, it generates a dependency representation with an additional indentation for each depth of dependent actions.
gh actions-dependency-graph list-deps testdata/test-workflow.yaml
The scan
subcommand is used to scan for various potential issues within workflows. Below is a breakdown of issues and how to address them:
- Node Version EOL - Node 16 was marked as EOL in September 2023, so any actions run via Node.js should be upgraded to run on
node20
. - Repo Jacking - Checks if the action is in a repository that is susceptible to repo jacking. If it is, some contextual information will be provided for how to update it to fix this vulnerability.
# Scan and output in plain text the results of the scan
gh actions-dependency-graph scan testdata/test-workflow.yaml
# Scan and output in json the results of the scan
gh actions-dependency-graph scan testdata/test-workflow.yaml -o json