GitHub developers have introduced the Dependency Review GitHub Action function, which scans user requests for changes to dependencies and returns an error if any new dependencies contain vulnerabilities.
Currently, Dependabot already warns developers when vulnerabilities are found in their existing dependencies, but the innovation is aimed at ensuring security when adding a new dependency.
The feature is available for private repositories with a Github Advanced Security license and for all public repositories on the GitHub Marketplace and on the “Actions” tab of the user repository under the “Security” heading.
Dependency Review GitHub Action is supported by an API endpoint that distinguishes dependencies between any two versions. This is achieved by adding a new GitHub dependency checking action to an existing workflow in one of the projects.