require-dependency-review-action
Rule catalog ID: R091
Targeted pattern scopeโ
Workflow files whose path indicates a dependency review workflow, such as .github/workflows/dependency-review.yml.
What this rule reportsโ
This rule reports dependency review workflow files that do not invoke actions/dependency-review-action.
Why this rule existsโ
If a workflow is intended to perform dependency review, it should actually run the dependency review action. Otherwise the workflow name and file path advertise security coverage that the repository is not really getting.
โ Incorrectโ
name: "Dependency Review"
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
โ Correctโ
name: "Dependency Review"
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/dependency-review-action@v4
Additional examplesโ
This rule is file-path-driven, which keeps it precise without forcing every repository to adopt a global workflow-existence contract.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.security];
When not to use itโ
Disable this rule if the repository intentionally uses a differently named workflow file or a reusable wrapper workflow for dependency review.