Github action that fetches Github dependabot security alerts and report results as JSON.
First, you need to store your repository read-only token in repo secrets as DEPENDABOTALERTS_TOKEN.
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: "MTES-MCT/dependabotalerts-action@main"
with:
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
repositories: 'MTES-MCT/dashlord,MTES-MCT/dependabotalerts-action'
maxAlerts: 20
states: "OPEN,DISMISSED"
output: dependabotalerts.jsonTo test locally, install act. Put secrets DEPENDABOTALERTS_TOKEN=*** in .secrets file.
Launch:
npm run all
act -j units # unit tests
act -j action # test Github action locally