action.yml

name: "dep-scan-action"
author: AppThreat & cob0
description: "Fully open-source GitHub Action for performing security audits on project dependencies using dep-scan, based on known
vulnerabilities and advisories. No server required!"
inputs:
  src:
    description: "Source directory to scan. Defaults to workspace"
    required: false
    default: "/github/workspace"
  profile:
    description: "Name of the profile to use (appsec, research, operational, threat-modeling, license-compliance, generic)"
    required: false
    default: "generic"
  project_type:
    description: "Override project type if auto-detection is incorrect (https://github.com/owasp-dep-scan/dep-scan?tab=readme-ov-file#supported-languages-and-package-format)"
    required: false
  thank_you:
    description: "Indicate you have sponsored OWASP dep-scan"
    required: false
    default: "I have not sponsored OWASP-dep-scan."

runs:
  using: "docker"
  image: "docker://ghcr.io/owasp-dep-scan/dep-scan:release-5.x"
  args:
    - "--debug"
    - "--deep"
    - "--explain"
    - "--profile"
    - ${{ inputs.profile }}
    - "-i"
    - ${{ inputs.src }}
    - "-t"
    - ${{ inputs.project_type }}
branding:
  icon: "shield"
  color: "green"