GitHub Action
Pro

Dependency Diff Action

Codecov for dependencies — Visualize dependency changes on every pull request with before/after tower diffs, vulnerability scanning, and health grading.

On every PR that touches a dependency file:

Detects which manifests changed (auto-detection or explicit path)
Renders before and after dependency towers via the API
Computes a structured diff: added, removed, updated packages
Scans for new vulnerabilities, license issues, and brittle deps
Posts a rich PR comment with health comparison and tower images
Optionally fails the check to gate merges on dependency quality

Requires Pro plan

The GitHub Action uses the Stacktower API and requires an API key, which is available on the Pro plan ($9/month). Each render and diff consumes API credits from your plan quota.

Setup

1

Sign up and upgrade to Pro

Create an account at app.stacktower.io and upgrade to Pro to unlock API access.

2

Create an API key

Go to Settings → API Keys and create a key with visualizations:write and visualizations:read scopes. If you plan to use investigate: true, also add investigations:write and investigations:read.

3

Add the secret to your repository

In your GitHub repo, go to Settings → Secrets and variables → Actions and add a new repository secret:

STACKTOWER_API_KEY
4

Add the workflow file

Create .github/workflows/dependency-diff.yml in your repository:

yaml
# .github/workflows/dependency-diff.yml
name: Dependency Diff
on:
  pull_request:
    paths:
      - 'package.json'
      - 'package-lock.json'
      - 'yarn.lock'
      - 'pnpm-lock.yaml'
      - 'poetry.lock'
      - 'pyproject.toml'
      - 'uv.lock'
      - 'requirements.txt'
      - 'Cargo.toml'
      - 'Cargo.lock'
      - 'go.mod'
      - 'Gemfile'
      - 'Gemfile.lock'
      - 'composer.json'
      - 'composer.lock'
      - 'pom.xml'
      - 'build.gradle'
      - 'build.gradle.kts'
 
jobs:
  tower-diff:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: stacktower-io/stacktower-action@v1
        with:
          api-key: ${{ secrets.STACKTOWER_API_KEY }}

What you get on every PR

The action posts a rich comment on your pull request that automatically updates on subsequent pushes (no duplicate comments).

PR Comment Preview

Summary bar

Added, removed, updated, unchanged counts

Health comparison

Before/after stats (deps, depth, vulns, licenses)

Package changes

Detailed lists with version info

New vulnerabilities

Highlighted with severity badges

Tower images

Side-by-side before/after linking to interactive viewer

Investigation report

Health grade A-F with prioritized recommendations (optional)

Multi-language PR example

If a PR updates both frontend/package-lock.json and backend/go.mod, the action posts two Stacktower comments (one per manifest path). Each comment is updated independently on subsequent pushes.

Inputs

api-key*
Stacktower Cloud API key (from Settings > API Keys)
manifest
Path to manifest file (auto-detected from PR changes if omitted)
fail-on-vuln
Fail the check if new vulnerabilities are introducedfalse
fail-on-license
Fail the check if copyleft, proprietary, or unknown licenses are detectedfalse
fail-on-brittle
Fail the check if brittle (archived/abandoned/undermaintained) dependencies are detectedfalse
security-scan
Run vulnerability scan on dependenciestrue
investigate
Run Triage AI agent for health grade and recommendationsfalse
comment
Post a PR comment with the difftrue
token
GitHub token for PR comments and investigation repo access${{ github.token }}
api-base-url
Stacktower API base URL override (useful for testing/self-hosted API)https://api.stacktower.io/v1
app-base-url
Stacktower app base URL override (used for links in PR comments)https://app.stacktower.io

Outputs

has-changesWhether dependency changes were detected
diff-jsonJSON diff result
new-vulnsNumber of new vulnerabilities introduced
before-render-idRender ID for the before tower
after-render-idRender ID for the after tower
before-urlURL to the before tower on app.stacktower.io
after-urlURL to the after tower on app.stacktower.io
license-issuesNumber of license issues in the after render
brittle-depsNumber of brittle dependencies in the after render
health-gradeDependency health grade (A-F) from Triage AI
investigation-jsonFull Triage AI investigation report as JSON

Supported Languages

When both a lockfile and manifest change for the same language, the lockfile is preferred (it has fully resolved versions).

JavaScriptpackage.json, package-lock.json
Pythonpyproject.toml, poetry.lock, uv.lock, requirements.txt
RustCargo.toml, Cargo.lock
Gogo.mod
RubyGemfile, Gemfile.lock
PHPcomposer.json, composer.lock
Javapom.xml, build.gradle, build.gradle.kts

Workflow Examples

Fail on new vulnerabilities

Block merges when new vulnerabilities are introduced. Integrates with GitHub branch protection rules.

yaml
- uses: stacktower-io/stacktower-action@v1
  with:
    api-key: ${{ secrets.STACKTOWER_API_KEY }}
    fail-on-vuln: true

Full dependency quality gate

Gate on vulnerabilities, license compliance, and dependency health all at once.

yaml
- uses: stacktower-io/stacktower-action@v1
  with:
    api-key: ${{ secrets.STACKTOWER_API_KEY }}
    fail-on-vuln: true
    fail-on-license: true
    fail-on-brittle: true

Triage AI Investigation

Run the Triage agent on the after-PR dependency tree for a health grade (A-F) and prioritized recommendations.

yaml
- uses: stacktower-io/stacktower-action@v1
  id: deps
  with:
    api-key: ${{ secrets.STACKTOWER_API_KEY }}
    investigate: true
    fail-on-vuln: true
 
- run: echo "Health grade: ${{ steps.deps.outputs.health-grade }}"
Investigation incurs additional API cost because the agent clones and analyzes the repository. The token input must have read access to the repo.

API Credit Usage

Each action run uses API credits from your Pro plan. Here's what each run consumes:

2 rendersBefore and after tower visualizations
1 diffComparing the two renders for changes
1 investigationOnly if investigate: true (uses 1 Triage AI analysis)

Pro plan includes 200 renders and 20 Triage AI analyses per month. A typical team with 20 dependency PRs/month would use about 40 renders, well within limits.

Resources

GitHub Repository

Source code & issues

API Documentation

REST API reference

CLI Documentation

Command-line tool

Pricing

Pro plan details

API Keys

Create & manage keys

Support

Get help

Terms of Service·Privacy Policy·Back to Stacktower

Cookie Preferences

We use essential cookies for authentication. We also use analytics cookies to understand how you use Stacktower and improve the experience. Read our Privacy Policy.