This is the first release for the Drupal package security scanner tool. Your Drupal project must be Composer-based. It is a very simple tool which leverages drush pm:security for analyzing the security advisories released by Drupal.org. The implementation is containerized so it will not interfere with any locally installed packages.
Features
- Easily add an action for scanning your project's Drupal packages.
- Whitelisting feature for stopping false positives from failing a build.
Usage
To use this action, include in a step like so:
jobs:
check-security:
...
- uses: lpeabody/[email protected]
If you want to ignore certain flagged packages, or if you've confirmed that a flagged package is a false positive, then you can tell the scanner to ignore that package(s) by providing them in a comma-separated string:
jobs:
check-security:
...
- uses: lpeabody/[email protected]
with:
allowed: 'drupal/group:1.0.0-rc5,drupal/false_positive:5.2.0'