How do I gate pull requests on known vulnerabilities with GitHub Actions?
FAQ resource for your migration project.
FAQ resource for How do I gate pull requests on known vulnerabilities with GitHub Actions?.
Answer
Use the maintained vibgrate/cli Action: `uses: vibgrate/cli@v1` with `vulns: true`, `fail-on: error`, and `upload-sarif: true`. It scans installed dependencies against OSV, fails the check on critical/high findings (blocking the merge), and uploads the SARIF to code scanning in one step — the workflow needs `permissions: security-events: write`. Check out with `fetch-depth: 0` so each finding is attributed to the commit that introduced it. The copy-paste template is examples/github-actions/vulnerabilities-sarif.yml; the raw-CLI equivalent is `npx @vibgrate/cli scan --vulns --format sarif --out vibgrate.sarif --fail-on error` followed by github/codeql-action/upload-sarif@v3.