Dependency Vulnerability Gate
Purpose
The dependency vulnerability gate blocks pull requests that introduce newly-added vulnerable dependencies. It diffs the PR base and head with the GitHub Dependency Review API and applies two configurable severity thresholds.
It complements Snyk: Snyk monitors the whole project on a schedule, while this gate catches a vulnerable dependency at the moment a PR adds it, before it reaches a stable branch. See the original requirement in camunda/camunda#29729.
How it runs
Two CI jobs in ci.yml
cooperate, both gated on detect-changes.outputs.deps-changed == 'true':
pr-maven-snapshot— submits the resolved Maven dependency tree for the PR head SHA via the GitHub Dependency Submission API, so transitive (BOM-pinned) dependencies appear in the diff.pr-vuln-check— runs the reusabledependency-vuln-checkaction fromcamunda/infra-global-github-actions, which calls the Dependency Review API and applies the blocking rules below.
The base side of the diff is provided by the scheduled maven-dependency-snapshot.yml workflow,
which submits the base-branch snapshot on main and each stable/* branch.
Blocking rules
For every dependency whose change_type is added and whose scope is gated (default: runtime):
| Vulnerability | Blocked? |
|---|---|
Fix available, severity ≥ fail-on-fixable-severity (default low → any) | ✅ Yes |
No fix, severity ≥ fail-on-severity (default high) | ✅ Yes |
| Severity below the applicable threshold | ❌ No |
Dependency scope not gated (e.g. development) | ❌ No (non-blocking notice) |
GHSA listed in allow-ghsas | ❌ No (non-blocking warning) |
removed or unchanged dependency | ❌ No |
Rationale: an available fix means there is no excuse to ship the vulnerable version, so any fixable
vuln blocks; unfixable vulns block only at high/critical. Version downgrades are covered — the
lower vulnerable version shows up as added in the diff and is evaluated normally.
Skipped PRs
pr-vuln-check does not run for:
- Backport PRs (
head_refstarts withbackport) — the code was already gated onmain. - The backport bot (
monorepo-devops-automation[bot]). - PRs that change no dependency manifests (
deps-changed == false).
Configuring exceptions
To vet and suppress a specific advisory, add its GHSA ID to
.github/dependency-review-config.json:
{
"allow-ghsas": [
"GHSA-xxxx-xxxx-xxxx"
]
}
Matching is case-insensitive. Each entry should carry a tracking issue and a review-by date. This file is protected by CODEOWNERS so exceptions require security review.
Pilot phase
pr-vuln-check currently runs with continue-on-error: true — it reports findings as a PR comment
and job annotation but does not block merges yet. Once existing open-PR findings are triaged,
continue-on-error is removed in a follow-up change and the gate becomes blocking.
Limitations
- Evaluates only newly added dependencies in the PR diff; deps already on the base branch are not re-scanned — Snyk covers ongoing monitoring.
- For transitive / BOM-pinned dependencies to appear, both base and head commits need a submitted dependency snapshot.
- Direct-to-stable PRs (not via
main) rely on the per-stable-branch base snapshot; transitive coverage there depends on that snapshot being current.