Github Action for using the lpeabody/drupal-security Docker image to check Drupal package security advisories.
With composer.json and composer.lock in the current working directory:
jobs:
check-security:
...
- uses: lpeabody/[email protected]
With composer.json and composer.lock elsewhere, specify the path to the directory which contains those files:
jobs:
check-security:
...
- uses: lpeabody/[email protected]
working-directory: /path/to/composer/files
If you need to whitelist a security package due to false positives (or you just want to ignore this youshouldneverignoresecuritywarnings), add a comma-separated list of package names and version pairings:
jobs:
check-security:
...
- uses: lpeabody/[email protected]
with:
allowed: 'drupal/group:1.0.0-rc5,drupal/false_positive:5.2.0'