Adding a dependency scan or static code analysis step to GitHub Actions usually means creating an account, generating a token and adding a secret. DepWarden is different: one Action step, no account, no secret, covering both your dependencies (SCA) and your source code (SAST).
- name: Security scan
uses: Rushabh5000/dep-warden/cli@main
with:
file: package-lock.json
fail-on: highNo secrets:, no env:. The Action sends the manifest text to the DepWarden API and exits non-zero if the threshold is breached.
- name: Security scan
uses: Rushabh5000/dep-warden/cli@main
with:
file: package-lock.json
fail-on: high
sast-dir: ./src
sast-fail-on: highSAST covers JavaScript, TypeScript, Python, Java, Go, PHP, Ruby, C#, Rust, Shell and IaC — detecting injection, hardcoded secrets, weak cryptography, framework misconfigurations and 300+ more rules across 15 languages.
npm, PyPI, Maven, Gradle, Go, Rust, Ruby, .NET, PHP, Dart, Swift — manifests, lockfiles and CycloneDX/SPDX SBOMs.
- uses: Rushabh5000/dep-warden/cli@main
with:
file: package-lock.json
base-file: ${{ github.event.pull_request.base.sha }}/package-lock.json
fail-on-new: highOnly newly-added dependencies with HIGH or CRITICAL findings block the PR. The existing backlog doesn't.
CVEs from OSV enriched with CISA KEV and FIRST EPSS; typosquatting and dependency confusion; EOL release lines; deprecated packages; OpenSSF Scorecard health; license risk.
The manifest text is processed in a session-isolated workspace. No source is stored, no account is linked, and no telemetry on dependency names is retained beyond the scan. Related: software composition analysis, SAST scanner, detect typosquats in CI, free vulnerability scanner.