GitHub Action

Dependency policies, enforced in CI.

A GitHub Action that gates your CI pipeline with powerful dependency queries. Check for malware, enforce license compliance, track outdated packages, and more — all with CSS-like selectors.

GitHub Marketplace Source

Set up in minutes

Add a workflow file to your repository and every pull request will be automatically audited against your dependency policies.

.github/workflows/deps.yml

name: Dependency Audit on: [push, pull_request] jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 - uses: vltpkg/setup-vlt@v1 - run: vlt install - name: Enforce policies uses: vltpkg/policies@v1 with: queries: | :malware --expect-results=0 *:license(copyleft) --expect-results=0 :outdated --view=json

One action, many policies

Express security, licensing, and quality requirements as simple queries. Each query becomes a gate in your CI pipeline.

Block Malware

Fail the build if any dependency is flagged as malware.

:malware --expect-results=0

Enforce Licenses

Ensure no copyleft-licensed packages enter your project.

*:license(copyleft) --expect-results=0

Catch Vulnerabilities

Block packages with known security vulnerabilities.

:vulnerable --expect-results=0

Track Outdated

Surface outdated dependencies in every pull request.

:outdated --view=json

Limit Dependencies

Cap direct dependency count to keep your project lean.

:root > * --expect-results=<=25

Audit Workspaces

Monitor workspace package structure across your monorepo.

:workspace --view=count

Built for real workflows

Not just a scanner — a flexible policy engine that fits into the way your team already ships code.

Security Gates

Block malware, vulnerable, and deprecated packages before they reach your main branch. Fail CI when threats are detected.

License Compliance

Enforce license policies automatically. Block copyleft, AGPL, or any license category that conflicts with your requirements.

Dependency Health

Track outdated packages, enforce dependency limits, and monitor the overall health of your dependency tree in every PR.

CSS-Like Selectors

Query your dependency graph with powerful, familiar CSS-inspired syntax. Filter by name, version, license, scripts, and more.

Multi-Query Support

Run multiple checks in a single action — security, licensing, and quality gates all at once with independent pass/fail criteria.

GitHub Native

Beautiful summary tables in your PR checks, detailed output in job summaries, and structured JSON outputs for downstream automation.

How it works

1
Add the Action
Drop vltpkg/policies into any GitHub Actions workflow. Works alongside your existing CI pipeline.
2
Define Your Policies
Write queries using CSS-like selectors to express your security, licensing, and quality requirements.
3
Gate Every PR
Every pull request is automatically checked. Violations fail the build with clear, actionable output.
4
Ship With Confidence
Merge knowing that your dependency policies are enforced — no manual review of transitive dependencies required.

Clear results in every PR

Failed checks tell you exactly what went wrong. Passing checks give you confidence to merge.

✓ :malware — 0 results (expected 0)

✓ :vulnerable — 0 results (expected 0)

✓ *:license(copyleft) — 0 results (expected 0)

✓ :deprecated — 0 results (expected 0)

✗ :root > *— 28 results (expected <=25)

Failed: 1 of 5 queries did not meet expectations

Start enforcing dependency policies today

Add Policies to your GitHub Actions workflow and gate every PR against your security, licensing, and quality requirements.

Get Started Selector Docs

GitHub Action

Dependency policies, enforced in CI.

A GitHub Action that gates your CI pipeline with powerful dependency queries. Check for malware, enforce license compliance, track outdated packages, and more — all with CSS-like selectors.

GitHub Marketplace Source

Set up in minutes

Add a workflow file to your repository and every pull request will be automatically audited against your dependency policies.

.github/workflows/deps.yml

One action, many policies

Express security, licensing, and quality requirements as simple queries. Each query becomes a gate in your CI pipeline.

Block Malware

Fail the build if any dependency is flagged as malware.

:malware --expect-results=0

Enforce Licenses

Ensure no copyleft-licensed packages enter your project.

*:license(copyleft) --expect-results=0

Catch Vulnerabilities

Block packages with known security vulnerabilities.

:vulnerable --expect-results=0

Track Outdated

Surface outdated dependencies in every pull request.

:outdated --view=json

Limit Dependencies

Cap direct dependency count to keep your project lean.

:root > * --expect-results=<=25

Audit Workspaces

Monitor workspace package structure across your monorepo.

:workspace --view=count

Built for real workflows

Not just a scanner — a flexible policy engine that fits into the way your team already ships code.

Security Gates

Block malware, vulnerable, and deprecated packages before they reach your main branch. Fail CI when threats are detected.

License Compliance

Enforce license policies automatically. Block copyleft, AGPL, or any license category that conflicts with your requirements.

Dependency Health

Track outdated packages, enforce dependency limits, and monitor the overall health of your dependency tree in every PR.

CSS-Like Selectors

Query your dependency graph with powerful, familiar CSS-inspired syntax. Filter by name, version, license, scripts, and more.

Multi-Query Support

Run multiple checks in a single action — security, licensing, and quality gates all at once with independent pass/fail criteria.

GitHub Native

Beautiful summary tables in your PR checks, detailed output in job summaries, and structured JSON outputs for downstream automation.

How it works

1
Add the Action
Drop vltpkg/policies into any GitHub Actions workflow. Works alongside your existing CI pipeline.
2
Define Your Policies
Write queries using CSS-like selectors to express your security, licensing, and quality requirements.
3
Gate Every PR
Every pull request is automatically checked. Violations fail the build with clear, actionable output.
4
Ship With Confidence
Merge knowing that your dependency policies are enforced — no manual review of transitive dependencies required.

Clear results in every PR

Failed checks tell you exactly what went wrong. Passing checks give you confidence to merge.

✓ :malware — 0 results (expected 0)

✓ :vulnerable — 0 results (expected 0)

✓ *:license(copyleft) — 0 results (expected 0)

✓ :deprecated — 0 results (expected 0)

✗ :root > *— 28 results (expected <=25)

Failed: 1 of 5 queries did not meet expectations

Start enforcing dependency policies today

Add Policies to your GitHub Actions workflow and gate every PR against your security, licensing, and quality requirements.

Get Started Selector Docs

Dependency policies, enforced in CI.

Set up in minutes

One action, many policies

Block Malware

Enforce Licenses

Catch Vulnerabilities

Track Outdated

Limit Dependencies

Audit Workspaces

Built for real workflows

Security Gates

License Compliance

Dependency Health

CSS-Like Selectors

Multi-Query Support

GitHub Native

How it works

Add the Action

Define Your Policies

Gate Every PR

Ship With Confidence

Clear results in every PR

Start enforcing dependency policies today

Dependency policies, enforced in CI.

Set up in minutes

One action, many policies

Block Malware

Enforce Licenses

Catch Vulnerabilities

Track Outdated

Limit Dependencies

Audit Workspaces

Built for real workflows

Security Gates

License Compliance

Dependency Health

CSS-Like Selectors

Multi-Query Support

GitHub Native

How it works

Add the Action

Define Your Policies

Gate Every PR

Ship With Confidence

Clear results in every PR

Start enforcing dependency policies today