require-dependency-review-fail-on-severity
Rule catalog ID: R093
Targeted pattern scopeโ
Workflow steps that use actions/dependency-review-action.
What this rule reportsโ
This rule reports dependency review action steps that omit with.fail-on-severity.
Why this rule existsโ
Without an explicit severity threshold, the repository's vulnerability blocking posture is implicit. Requiring fail-on-severity makes that policy visible and reviewable in the workflow file.
โ Incorrectโ
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: actions/dependency-review-action@v4
โ Correctโ
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
Additional examplesโ
Repositories commonly use moderate or stricter thresholds so dependency review blocks only meaningful risk while keeping pull request friction manageable.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.security];
When not to use itโ
Disable this rule if the repository intentionally accepts the action's default behavior and does not want to codify a severity threshold in workflow YAML.