Dependency policies,
enforced in CI
A GitHub Action that gates your CI pipeline with powerful dependency queries. Check for malware, enforce license compliance, track outdated packages, and more—all with CSS-like selectors.
.github/workflows/deps.yml
name: Dependency Audit on: [push, pull_request] jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: vltpkg/setup-vlt@v1 - run: vlt install - uses: vltpkg/policies@v1 with: queries: | :malware --expect-results=0 *:license(copyleft) --expect-results=0 :outdated --view=json
One action, many policies
Express security, licensing,
and quality as simple queries.
- Block Malware
- Fail the build if any dependency is flagged as malware.
- Enforce Licenses
- Ensure no copyleft-licensed packages enter your project.
- Catch Vulnerabilities
- Block packages with known security vulnerabilities.
- Track Outdated
- Surface outdated dependencies in every pull request.
- Limit Dependencies
- Cap direct dependency count to keep your project lean.
- Audit Workspaces
- Monitor workspace package structure across your monorepo.
$vltquery:malware--expect-results=0
$vltquery*:license(copyleft)--expect-results=0
$vltquery:vulnerable--expect-results=0
$vltquery:outdated--view=json
$vltquery:root > *--expect-results=<=25
$vltquery:workspace--view=count
Built for real workflows
Not a scanner—a flexible policy engine that fits how your team ships.
- Security Gates
- Block malware, vulnerable, and deprecated packages before they reach your main branch. Fail CI when threats are detected.
- License Compliance
- Enforce license policies automatically. Block copyleft, AGPL, or any license category that conflicts with your requirements.
- Dependency Health
- Track outdated packages, enforce dependency limits, and monitor the overall health of your dependency tree in every PR.
- CSS-Like Selectors
- Query your dependency graph with powerful, familiar CSS-inspired syntax. Filter by name, version, license, scripts, and more.
- Multi-Query Support
- Run multiple checks in a single action — security, licensing, and quality gates all at once with independent pass/fail criteria.
- GitHub Native
- Beautiful summary tables in your PR checks, detailed output in job summaries, and structured JSON outputs for downstream automation.
How it works
From a single workflow step to a fully gated pipeline.
- 1
Add the Action
Drop vltpkg/policies into any GitHub Actions workflow. Works alongside your existing CI pipeline.
- 2
Define Your Policies
Write queries using CSS-like selectors to express your security, licensing, and quality requirements.
- 3
Gate Every PR
Every pull request is automatically checked. Violations fail the build with clear, actionable output.
- 4
Ship With Confidence
Merge knowing that your dependency policies are enforced — no manual review of transitive dependencies required.
Clear results in every PR
Failed checks tell you exactly what went wrong. Passing checks let you merge.
Dependency Audit
✓:malware— 0 results (expected 0)
✓:vulnerable— 0 results (expected 0)
✓*:license(copyleft)— 0 results (expected 0)
✓:deprecated— 0 results (expected 0)
✗:root > *— 28 results (expected <=25)
Failed:1 of 5 queries did not meet expectations
$