Skip to main content
Last updated: 25 Apr 2025

Dependency Review

The Dependency Review action is a Software Composition Analysis (SCA) scan which diffs the old code and new code to identify whether there are any changes to the dependencies included in the project. It’s configured as a reusable workflow and should be included as a job in the CI pipeline of all GOV.UK repositories. The reusable workflow enables enhancements to the scanning process to be managed centrally.

Add Dependency Review to a project

To use the Dependency Review reusable workflow, add the following job to the jobs section of your CI workflow:

dependency-review:
  name: Dependency Review scan
  uses: alphagov/govuk-infrastructure/.github/workflows/dependency-review.yml@main

Where to find Security Alerts

Alerts can always be found in the job logs. There’s also a job summary displayed beneath the GitHub Action run where changes are summarised, along with any vulnerabilities found.

Dealing with Security Alerts

See this guidance on security alerts.