Merge pull request github#26469 from github/saritai/dependency-review-api-and-action

Dependency review API and Action

Author: saritai

assets/images/help/graphs/dependency-review-action.png

@@ -49,4 +49,18 @@ Dependency review supports the same languages and package management ecosystems
 ## Enabling dependency review
 
 The dependency review feature becomes available when you enable the dependency graph. For more information, see "{% ifversion ghec %}[Enabling the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph){% elsif ghes %}[Enabling the dependency graph for your enterprise](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise){% endif %}."
-{% endif %}
+{% endif %}
+
+{% ifversion fpt or ghec or ghes > 3.5 or ghae-issue-6396 %}
+## Dependency review enforcement
+
+{% data reusables.dependency-review.dependency-review-action-beta-note %}
+
+You can use the Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. For more information, see [`dependency-review-action`](https://github.com/actions/dependency-review-action).
+
+![Dependency review action example](/assets/images/help/graphs/dependency-review-action.png)
+
+The Dependency Review GitHub Action check will fail if it discovers any vulnerable package, but will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)."
+
+The action uses the Dependency Review REST API to get the diff of dependency changes between the base commit and head commit. You can use the Dependency Review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "[Dependency review](/rest/reference/dependency-graph#dependency-review)."
+{% endif %}

content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review.md

@@ -34,6 +34,10 @@ shortTitle: Review dependency changes
 
 Dependency review allows you to "shift left". You can use the provided predictive information to catch vulnerable dependencies before they hit production. For more information, see "[About dependency review](/code-security/supply-chain-security/about-dependency-review)."
 
+{% ifversion fpt or ghec or ghes > 3.5 or ghae-issue-6396 %}
+You can use the Dependency Review GitHub Action to help enforce dependency reviews on pull requests in your repository. For more information, see "[Dependency review enforcement](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement)."
+{% endif %}
+
 ## Reviewing dependencies in a pull request
 
 {% data reusables.repositories.sidebar-pr %}

content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request.md

@@ -0,0 +1,16 @@
+---
+title: Dependency graph
+intro: 'With the Dependency Graph API, you can view dependency changes and their security impact on your repository.'
+versions:
+  fpt: '*'
+  ghes: '>=3.6'
+  ghec: '*'
+  ghae: 'issue-6396'
+topics:
+  - API
+miniTocMaxHeadingLevel: 3
+---
+
+<!--
+  Operations are automatically generated. Markdown for this page is located in data/reusables/rest-reference/dependency-graph
+-->

content/rest/reference/dependency-graph.md

@@ -22,6 +22,7 @@ children:
   - /collaborators
   - /commits
   - /dependabot
+  - /dependency-graph
   - /deploy_keys
   - /deployments
   - /emojis

content/rest/reference/index.md

@@ -0,0 +1,5 @@
+{% note %}
+
+**Note**: The Dependency Review GitHub Action is currently in public beta and subject to change.
+
+{% endnote %}

data/reusables/dependency-review/dependency-review-action-beta-note.md

@@ -0,0 +1,5 @@
+{% note %}
+
+**Note**: The Dependency Review API is currently in public beta and subject to change.
+
+{% endnote %}

data/reusables/dependency-review/dependency-review-api-beta-note.md

@@ -0,0 +1,5 @@
+## Dependency review
+
+{% data reusables.dependency-review.dependency-review-api-beta-note %}
+
+The Dependency Review API allows you to understand dependency changes, and the security impact of these changes, before you add them to your environment. You can view the diff of dependencies between two commits of a repository, including vulnerability data for any version updates with known vulnerabilities. For more information about dependency review, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."

data/reusables/rest-reference/dependency-graph/dependency-review.md

@@ -1133,6 +1133,7 @@
         "requestPath": "/repos/{owner}/{repo}/dependabot/secrets/{secret_name}"
       }
     ],
+    "dependency-graph": [],
     "deploy_keys": [
       {
         "slug": "list-deploy-keys",