Skip to content
/ pkgchk-action Public

A Github action to run .net package dependency checks & display results in a Github pull request.

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tonycknight/pkgchk-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
.github
.github
 
 
docs
docs
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
action.yml
action.yml
 
 

Repository files navigation

pkgchk-action

A Github action to perform .Net package dependency checks & PRs.

Vulnerabilities

Vulnerabilities

How to use

Simply include the action in your workflow like so:

- uses: actions/checkout@v6

- name: Run SCA
  uses: tonycknight/pkgchk-action@v1

Use the step in your PR checks, or in your regular build workflow checks:

Checks

Outstanding upgrades can be searched for, and builds stopped if any are found:

Checks

⚠️ This action only works with .Net SDK 8 or later. Check your global.json and other settings to avoid incompatibilities.

What the options mean

Scanning for vulnerabilities

The main options you'll need to provide are below. Most options have defaults applied, giving scans for high to critical vulnerabilities.

The option What's it for? What's the default?
project-path The relative path to the solution or project The solution file in the working directory.
scan-issues To scan vulnerabilities, deprecations, etc. true
deprecated Include deprecated packages in the scan false
vulnerable Include vulnerable packages in the scan true
transitives Include transitive packages in the scan true
fail-on-critical Fail scans if critical severity vulnerabilities or deprecation reasons are found true
fail-on-high Fail scans if high severity vulnerabilities are found true
fail-on-moderate Fail scans if moderate severity vulnerabilities are found false
fail-on-legacy Fail scans if packages are found to be deprecated for legacy reasons false
github-title The title to give to the PR Vulnerabilities report Package vulnerabilities

Checking for upgrades

If you want to check for outstanding upgrades, these additional options are available:

The option What's it for? What's the default?
project-path The relative path to the solution or project The solution file in the working directory.
scan-upgrades To scan for upgrades false
fail-on-upgrades Set to true to stop builds with outstanding upgrades. false
github-upgrade-title The title to give to the PR upgrades report Package upgrades

Common options

Some options are available to control the action's credentials, tracing, etc. You shouldn't need to use this in most cases.

The option What's it for? What's the default?
pass-img URI of a report image for successful scans
fail-img URI of a report image for failed scans
restore-solution Restore the solution or project true
restore-tools Restore tools true
github-token A github token to push reports to PRs github.token
repo The repository name in owner/repo form github.repository
prid The pull request ID github.event.number
commit-hash The Github commit hash github.sha
trace Output trace logging to the console false

Some examples

What's the minimum I need?

You'll need to first checkout the repository. The default options will scan for High and Critical vulnerabilities.

- uses: actions/checkout@v6

- name: Run SCA
  uses: tonycknight/pkgchk-action@v1

I want to scan a specific project...

- uses: actions/checkout@v6

- name: Run SCA
  uses: tonycknight/pkgchk-action@v1
  with:
    project-path: src/testproj.csproj

I want to scan for every possible problem and stop builds...

Easy: ensure vulnerable, deprecated & transitives are true, and all the fail-on- options are also true:

- uses: actions/checkout@v6

- name: Run SCA
  uses: tonycknight/pkgchk-action@v1
  with:
    scan-issues: true
    scan-upgrades: true
    vulnerable: true
    deprecated: true
    transitives: true
    fail-on-critical: true
    fail-on-high: true
    fail-on-moderate: true
    fail-on-legacy: true
    fail-on-upgrades: true

I want to scan for every possible problem with only reports...

Easy: ensure vulnerable, deprecated & transitives are true, and all the fail-on- options are also false:

- uses: actions/checkout@v6

- name: Run SCA
  uses: tonycknight/pkgchk-action@v1
  with:
    scan-issues: true
    scan-upgrades: true
    vulnerable: true
    deprecated: true
    transitives: true
    fail-on-critical: false
    fail-on-high: false
    fail-on-moderate: false
    fail-on-legacy: false
    fail-on-upgrades: false

I want to put images on the report

Simple: just set URLs to the pass-img and fail-img parameters, like so:

- uses: actions/checkout@v6

- name: Run SCA
  uses: tonycknight/pkgchk-action@v1
  with:
    pass-img: https://media.tenor.com/4h0Z--sGHgsAAAAC/jason-momoa-folding-chair.gif
    fail-img: https://i.pinimg.com/474x/b4/74/fe/b474fe41f458a648fcfac0145a4dbd2e.jpg

I have a private nuget repository

Set up .net before scanning:

- uses: actions/checkout@v6

- name: Add nuget source
  uses: actions/setup-dotnet@v4
  with:
    source-url: https://nuget.pkg.github.com/<owner>/index.json
  env:
    NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

- name: Run SCA
  uses: tonycknight/pkgchk-action@v1

Licence

pkgchk-action is licenced under MIT.

For pkgchk-cli refer to its own licencing.

About

A Github action to run .net package dependency checks & display results in a Github pull request.

Topics

ci dotnet nuget code-review sca dependency-management

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 28

v1.0.36 Latest
Jan 31, 2026
+ 27 releases

Contributors 2

  •  
  •