actions/component-detection-dependency-submission-action

mirror of https://github.com/actions/component-detection-dependency-submission-action synced 2026-05-09 22:14:52 +00:00

Mirror of https://github.com/actions/component-detection-dependency-submission-action

TypeScript 96.6%
JavaScript 3.4%

Find a file

Ashely Tenesaca 98beaea5a1 Merge pull request #55 from actions/weekly-sync-branch-25296046171 Sync Fork with Upstream		2026-05-08 17:31:08 -04:00
.github	Bump actions/setup-node in the actions-dependencies group (#175 )	2026-03-09 14:31:24 -04:00
dist	Bump the npm-dependencies group across 1 directory with 4 updates (#165 )	2026-02-24 11:14:33 -05:00
test	Bump the npm_and_yarn group across 2 directories with 2 updates (#190 )	2026-04-14 16:57:05 -04:00
.eslintrc.json	Initial commit	2022-08-25 09:12:00 -07:00
.gitattributes	Initial commit	2022-08-25 09:12:00 -07:00
.gitignore	Add snapshot correlator action input	2025-04-03 05:21:10 +00:00
action.yml	chore: update action to use node24 instead of node20	2026-03-19 14:47:04 +00:00
babel.config.js	Enable full ESM support for Node 20+ and modern dependencies, update Jest and build output configuration	2025-05-12 17:09:08 +00:00
CODE_OF_CONDUCT.md	Update docs for ownership change (#2 )	2023-04-07 16:21:17 -07:00
CODEOWNERS	update codeowners	2025-06-10 14:50:54 +01:00
componentDetection.test.ts	Add test	2025-10-28 11:27:43 +13:00
componentDetection.ts	Fix ESM compatibility for @actions packages v3/v9	2026-02-02 15:14:37 +00:00
CONTRIBUTING.md	Update docs for ownership change (#2 )	2023-04-07 16:21:17 -07:00
eslint.config.js	Fix eslint ... v9 upgrade broke!	2025-05-12 17:14:48 +00:00
index.ts	Add sha and ref snapshot inputs	2025-06-16 11:15:10 +01:00
jest.config.d.ts	Convert from spdx parser to yaml - boilerplate	2023-01-19 20:10:29 +00:00
jest.config.js	Fix eslint ... v9 upgrade broke!	2025-05-12 17:14:48 +00:00
LICENSE	Initial commit	2022-08-25 09:12:00 -07:00
package-lock.json	Bump picomatch from 2.3.1 to 2.3.2 (#185 )	2026-04-14 16:54:49 -04:00
package.json	Bump the npm-dependencies group with 2 updates (#176 )	2026-03-09 14:34:03 -04:00
README.md	Fix incorrect Swift detector ID in README: SwiftResolved -> Swift	2026-03-09 18:41:48 +00:00
SECURITY.md	Update docs for ownership change (#2 )	2023-04-07 16:21:17 -07:00
SUPPORT.md	Update docs for ownership change (#2 )	2023-04-07 16:21:17 -07:00
tsconfig.json	Update TypeScript config comments to be more concise	2026-02-02 15:15:27 +00:00

README.md

Component detection dependency submission action

This GitHub Action runs the microsoft/component-detection library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems.

Example workflows


name: Component Detection

on:
  workflow_dispatch:
  push:

permissions:
  id-token: write
  contents: write

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Component detection
        uses: advanced-security/component-detection-dependency-submission-action@v0.1.1

Additional Experimental and DefaultOff detectors:

For a list of experimental and default-off detectors that require explicit enablement, see the Detectors README. See enable-default-off.md for more details.

name: Component Detection

on:
  workflow_dispatch:
  push:

permissions:
  id-token: write
  contents: write

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Component detection
        uses: advanced-security/component-detection-dependency-submission-action@v0.1.1
        with:
          # Experimental detectors: Poetry, UvLock, NpmLockfile3, Ivy
          # Default-off detectors: ConanLock, CondaLock, Dockerfile, Pip, SimplePip, Spdx22, Swift
          detectorArgs: Poetry=EnableIfDefaultOff,UvLock=EnableIfDefaultOff,NpmLockfile3=EnableIfDefaultOff,Ivy=EnableIfDefaultOff,ConanLock=EnableIfDefaultOff,CondaLock=EnableIfDefaultOff,Dockerfile=EnableIfDefaultOff,Pip=EnableIfDefaultOff,SimplePip=EnableIfDefaultOff,Spdx22=EnableIfDefaultOff,Swift=EnableIfDefaultOff

Configuration options

Parameter	Description	Example
filePath	The path to the directory containing the environment files to upload. Defaults to Actions working directory.	`'.'`
directoryExclusionList	Filters out specific directories following a minimatch pattern.	`test`
detectorArgs	Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is `Experimental` or `DefaultOff` to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff.	`Pip=EnableIfDefaultOff`
dockerImagesToScan	Comma separated list of docker image names or hashes to execute container scanning on	ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab
detectorsFilter	A comma separated list with the identifiers of the specific detectors to be used.	`Pip, RustCrateDetector`
detectorsCategories	A comma separated list with the categories of components that are going to be scanned. The detectors that are going to run are the ones that belongs to the categories.	`NuGet,Npm`
correlator	An optional identifier to distinguish between multiple dependency snapshots of the same type. Defaults to the job_id of the current job	`csharp-backend`

For more information: https://github.com/microsoft/component-detection

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.