Skip to content

advanced-security/conda-dependency-submission-action

BranchesTags

Repository files navigation

Conda dependency submission action

This repository scans Conda environment.yaml files and uploads the results to the dependency graph. While GitHub does not support alerting on OS-level dependencies, it will alert on any PyPI dependencies that are defined in the environment.yaml.

Treat all Conda packages as Python (optional)

Set treatAsPython: true to submit every dependency in Conda manifests as Python (PyPI) packages. This mirrors Dependabot-core Conda beta (Python-focused) behavior.

Notes:

  • Names are normalized like Python packages (lowercase, _ and . replaced with -).
  • Top-level conda deps are reported as pkg:pypi/... when enabled.
  • The python interpreter package is skipped.
  • For wildcard/constraint/build-string specs, the purl omits the version.

Example workflow

name: Conda dependency submission

on:
  workflow_dispatch:
  push:

permissions: 
  id-token: write
  contents: write

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Conda dependency scanning
        uses: jhutchings1/[email protected]
        with:
          treatAsPython: true

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

About

GitHub Action that scans Conda manifest files and submits their dependencies to GitHub's Dependency Graph,

github.com/advanced-security/conda-dependency-submission-action

Topics

dependency-graph conda dependabot dependency-graph-api

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases 2

v1.1.0 Latest
Sep 9, 2025
+ 1 release

Contributors 5

Languages