GitHub Dependency Review门禁治理（严重级别-阻断-例外）最佳实践

---

title: GitHub Dependency Review门禁治理（严重级别-阻断-例外）最佳实践

keywords:

• Dependency Review
• 严重级别
• 阻断
• 例外
• 审计

description: 基于依赖审查报告的严重级别设定门禁策略，阻断高风险变更并支持到期例外与审计记录。

categories:

• 文章资讯
• 技术教程

---

实现示例

type Finding = { name: string; severity: 'low' | 'moderate' | 'high' | 'critical'; cve?: string }

function validCve(id?: string): boolean { if (!id) return true; const m = /^CVE-(\d{4})-(\d{4,})$/.exec(id); if (!m) return false; const y = parseInt(m[1],10); return y >= 1999 && y <= new Date().getFullYear() }

function decide(f: Finding, policy: { block: Set<'high' | 'critical'>; warn: Set<'moderate'> }, exceptions: Map<string, number>, now: number): 'block' | 'warn' | 'pass' { const key = `${f.name}:${f.severity}`; const until = exceptions.get(key) || 0; if (until >= now) return 'pass'; if (policy.block.has(f.severity as any)) return 'block'; if (policy.warn.has(f.severity as any)) return 'warn'; return 'pass' }

function evaluate(list: Finding[], policy: { block: Set<'high' | 'critical'>; warn: Set<'moderate'> }, exceptions: Map<string, number>, now: number): { blocked: Finding[]; warned: Finding[]; passed: Finding[] } { const blocked: Finding[] = []; const warned: Finding[] = []; const passed: Finding[] = []; for (const f of list) { const d = decide(f, policy, exceptions, now); if (!validCve(f.cve)) { blocked.push(f); continue } if (d === 'block') blocked.push(f); else if (d === 'warn') warned.push(f); else passed.push(f) } return { blocked, warned, passed } }

审计与CI门禁

• 审计模块与严重级别、例外到期；阻断项直接失败。
• 例外需审批与到期管理。