You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
echo "::notice title=Dependency Review not enforced::Dependency Review requires GitHub Dependency Graph support. Enable Dependency Graph in repository settings, then set repository variable ENABLE_DEPENDENCY_REVIEW=true to enforce this gate."
31
+
echo "Dependency Review skipped because ENABLE_DEPENDENCY_REVIEW is not set to true."
Copy file name to clipboardExpand all lines: docs/GITHUB_SECURITY_AUTOMATION.md
+16-1Lines changed: 16 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,8 +32,23 @@ Major updates are grouped separately so breaking changes are visible and can be
32
32
33
33
The README badge uses the Scorecard API badge so it reflects the published Scorecard result rather than only the workflow run status.
34
34
35
+
36
+
## Dependency Review Action
37
+
38
+
GitHub Dependency Review is useful, but it only works after the repository Dependency Graph is available. GitHub documents that dependency review becomes available when the dependency graph is enabled. For this reason, `.github/workflows/dependency-review.yml` is intentionally guarded by the repository variable `ENABLE_DEPENDENCY_REVIEW`.
39
+
40
+
Recommended setup:
41
+
42
+
1. Open **Settings → Security and analysis**.
43
+
2. Enable **Dependency graph**.
44
+
3. Enable Dependabot alerts/security updates if available for the repository.
45
+
4. Open **Settings → Secrets and variables → Actions → Variables**.
46
+
5. Add repository variable `ENABLE_DEPENDENCY_REVIEW` with value `true`.
47
+
48
+
Until that variable is set, the workflow posts a notice and exits successfully so Dependabot pull requests are not blocked by an unavailable GitHub API feature. Once the repository is configured, setting the variable to `true` turns the workflow into an enforcement gate with `fail-on-severity: high`.
49
+
35
50
## Troubleshooting
36
51
37
-
If Dependabot does not open pull requests, check **Insights → Dependency graph → Dependabot** and confirm that version updates are enabled for the repository.
52
+
If Dependabot does not open pull requests, check **Insights → Dependency graph → Dependabot** and confirm that version updates are enabled for the repository. If the Dependency Review workflow says that dependency review is not supported, enable **Settings → Security and analysis → Dependency graph** and set `ENABLE_DEPENDENCY_REVIEW=true`.
38
53
39
54
If Scorecard fails with `Resource not accessible by integration`, verify that repository Actions permissions allow `GITHUB_TOKEN` to read repository metadata and upload code scanning alerts. For private repositories, the Scorecard job also includes `issues: read`, `pull-requests: read`, and `checks: read` to avoid GraphQL/SAST visibility gaps.
AssertNotNull(frame.Asdu,"Type 5 ASDU must decode");
153
153
AssertEqual(5,frame.Asdu!.TypeId,"Type 5 id");
154
-
AssertTrue(frame.Asdu.IdentificationText?.Contains("ARIEC60870 Relay Simulator",StringComparison.Ordinal)==true,"identification text must be extracted");
154
+
AssertTrue(!string.IsNullOrWhiteSpace(frame.Asdu.IdentificationText),"identification text must be extracted");
155
+
AssertTrue(frame.Asdu.IdentificationText!.Contains("Relay Simulator",StringComparison.Ordinal),"identification text must include relay simulator label");
0 commit comments