Bomly
v1.0.1 is out

Bomly GuardReview Dependency Drift Before It Lands.

The official GitHub Action that wraps bomly diff to review the dependency changes a pull request introduces — new advisories, license violations, denied packages, typosquats — and fail the check before they merge.

View on GitHubRead the docs

Some checks were not successful

1 failing, 1 successful checks

1 failing check ↓

Bomly Guard / guard (pull_request)Failing after 1m
Required

1 successful check ↓

Code scanning results / bomlySuccessful in 1s — No new alerts in code changed by this pull request
You can also merge this with the command line.
Guard posts a required check to the PR and blocks the merge when policy fails — risky dependencies never reach main.

Quick start

Drop this into .github/workflows/bomly-guard.yml. On every pull request the action installs the CLI, diffs the dependency changes, and fails the job when a high-severity finding slips in.

name: Bomly Guard

on:
  pull_request:

permissions:
  contents: read
  pull-requests: write     # post the summary comment (when opted in)
  security-events: write   # upload SARIF to the Security tab

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0   # full history so base and head refs resolve
      - uses: bomly-dev/bomly-guard@v1
        with:
          fail-on: high
          comment-summary-in-pr: on-failure

fetch-depth: 0 matters — the action compares the PR head against the merge base, so it needs enough history to resolve both refs. Pin to @v1 for patch and minor updates, or an exact release for fully reproducible builds.

What it reviews

Guard inspects only the dependency changes the pull request introduces:

New packages

Every dependency the PR adds.

New vulnerabilities

Advisories introduced by the change.

License violations

Allow / deny rules on incoming licenses.

Denied packages

Packages and namespaces you've blocked.

Typosquats

Suspicious names close to protected packages.

The report

Every run posts a job summary to the Actions tab. When a PR introduces a failing finding, Guard also annotates the check with the count and exits non-zero.

Bomly Diff Summary

Compared 559a762a… to b35e8065…

Overview

StatusManifestsDependenciesFindingsDuration
Failing findings introduced+0 / ~1 / -0+0 / ~1 / -01 introduced / 0 persisted / 0 resolved45 sec

Dependency Changes

Summary: 0 added, 1 changed, 0 removed.

ChangePackageVersionScopeLicensesPURL
changedminimist0.0.10 → 0.0.8runtimeMITpkg:npm/minimist@0.0.8

Policy Findings

Summary: 1 introduced, 0 persisted, 1 resolved.

SeverityIDTitlePackageFixed In
CRITICALGHSA-xvch-5gv4-984hPrototype Pollution in minimistminimist@0.0.80.2.4

Annotations · 1 error

guard — Process completed with exit code 2.

How it works

Guard is a thin composite wrapper around the CLI — all analysis comes from bomly diff, so the policy you enforce locally is the policy it enforces on PRs.

  1. 1

    Compares the PR head against its merge base, so review focuses only on what the PR changes — pre-existing findings are ignored.

  2. 2

    Runs bomly diff with the enrich, audit, and policy flags mapped from your action inputs.

  3. 3

    Writes a job summary and, when you opt in, posts (or updates) a single PR comment.

  4. 4

    Uploads SARIF to the Security tab when audit is on, and fails the job when policy fails the review.

Gate your next pull request.

Add the action, set a policy, and let Bomly review every dependency change before it merges. No server, no signup.

Use latest versionRead the docs