Scan licenses for the only changed dependencies for GitHub pull request { Question }

[eb-trigo]

Hey,

I'd like to know if it's possible to run the GitHub Action "Security and Licence Scan" for each GitHub's PR CI pipeline and scan only the changed dependencies. That is, if there were changes in the dependency files, scan them and for each library check what its licenses are?

The second question: is it possible to set a list of approved licenses by us and if the tool finds a license that does not exist on the list the GitHub build will fail fast?

Thanks!

[prabhu]

Hi @eb-trigo

Thank you for raising this ticket. Both the features you have requested currently do not exist in the scan product. Feature 1 is a bit involved since we essentially do not keep track of the reports produced in each run. Some users have implemented custom scripts to store the json reports in a cloud storage such as s3 and use tools such as json diff to determine the changes.

Feature 2 should be possible to implement. Will add it to the roadmap.

[eb-trigo]

Hey @prabhu,

Can you show me a GitHub action example for Feature 2?

Thanks!

[prabhu]

I meant should be possible to implement by us. I will let you know as soon as it is ready for testing.