Last updated: 25 Apr 2025

Dependency Review

The Dependency Review action is a Software Composition Analysis (SCA) scan which diffs the old code and new code to identify whether there are any changes to the dependencies included in the project. It’s configured as a reusable workflow and should be included as a job in the CI pipeline of all GOV.UK repositories. The reusable workflow enables enhancements to the scanning process to be managed centrally.

Add Dependency Review to a project

To use the Dependency Review reusable workflow, add the following job to the jobs section of your CI workflow:

dependency-review:
  name: Dependency Review scan
  uses: alphagov/govuk-infrastructure/.github/workflows/dependency-review.yml@main

Where to find Security Alerts

Alerts can always be found in the job logs. There’s also a job summary displayed beneath the GitHub Action run where changes are summarised, along with any vulnerabilities found.

Dealing with Security Alerts

See this guidance on security alerts.

More in the Testing section

Learn

• Brakeman
• CodeQL
• How we test GOV.UK
• Pact Testing
• Security Alerts Guidance

How to...

• Run a load test with k6
• Test & build a project with GitHub Actions