GitHub Dependency Review门禁治理（严重级别-阻断-例外）最佳实践

实现示例type Finding = { name: string; severity: 'low' | 'moderate' | 'high' | 'critical'; cve?: string } function validCve(id?: string): boolean { if (!id) return true; const m = /^CVE-(\d{4})-(\d{4,})$/.exec(id); if (!m) return false; const y = parseInt(m[1],10); return y >= 1999 && y <= new Date().getFullYear() } function decide(f: Finding, policy: { block: Set<'high' | 'critical'>; warn: Set<'moderate'> }, exceptions: Map<string, number>, now: number): 'block' | 'warn' | 'pass' { const key = `${f.name}:${f.severity}`; const until = exceptions.get(key) || 0; if (until >= now) return 'pass'; if (policy.block.has(f.severity as any)) return 'block'; if (policy.warn.has(f.severity as any)) return 'warn'; return 'pass' } function evaluate(list: Finding[], policy: { block: Set<'high' | 'critical'>; warn: Set<'moderate'> }, exceptions: Map<string, number>, now: number): { blocked: Finding[]; warned: Finding[]; passed: Finding[] } { const blocked: Finding[] = []; const warned: Finding[] = []; const passed: Finding[] = []; for (const f of list) { const d = decide(f, policy, exceptions, now); if (!validCve(f.cve)) { blocked.push(f); continue } if (d === 'block') blocked.push(f); else if (d === 'warn') warned.push(f); else passed.push(f) } return { blocked, warned, passed } } 审计与CI门禁审计模块与严重级别、例外到期；阻断项直接失败。例外需审批与到期管理。