dependency check testing #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Security Scan | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| - develop | |
| jobs: | |
| dependency-check: | |
| name: OWASP Dependency Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| ## 🔹 Java 8 (Spring Boot) Dependency Check | |
| - name: Set up JDK 8 | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '8' | |
| - name: Run OWASP Dependency Check for Java (Spring Boot) | |
| uses: dependency-check/Dependency-Check_Action@main | |
| with: | |
| project: "VulnerableApp Java Dependencies" | |
| path: "./" | |
| format: "HTML" | |
| output: "dependency-check-report" | |
| failOnCVSS: 7 # Fail build if vulnerabilities CVSS >= 7 | |
| - name: Upload Java Dependency Check Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: Java-Dependency-Check-Report | |
| path: dependency-check-report | |
| ## 🔹 ReactJS / JavaScript / TypeScript Dependency Check | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18 | |
| - name: Install Dependencies | |
| run: npm install | |
| - name: Run NPM Audit (Detect Vulnerabilities) | |
| run: npm audit --audit-level=high || true # Ensures it doesn't fail the pipeline | |
| - name: Save NPM Audit Report | |
| run: npm audit --json > npm-audit-report.json | |
| - name: Upload NPM Audit Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: NPM-Audit-Report | |
| path: npm-audit-report.json |