diff --git a/.github/workflows/owasp-scanner.yml b/.github/workflows/owasp-scanner.yml new file mode 100644 index 00000000..89b8ccc1 --- /dev/null +++ b/.github/workflows/owasp-scanner.yml @@ -0,0 +1,98 @@ +name: OWASP Scanner + +on: + workflow_call: + inputs: + repository: + description: 'Repository to scan' + required: false + type: string + default: 'liquibase' + branch: + description: 'Branch to scan' + required: true + type: string + workflow_dispatch: + inputs: + repository: + description: 'Repository to scan' + required: false + type: string + default: 'liquibase' + branch: + description: 'Branch to scan' + required: true + type: string + + +jobs: + scan: + runs-on: ubuntu-22.04 + steps: + + - name: Checkout code + uses: actions/checkout@v4 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.branch }} + + - name: Set up Java for publishing to GitHub Repository + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: 'maven' + + - name: maven-settings-xml-action + uses: whelk-io/maven-settings-xml-action@v22 + with: + repositories: | + [ + { + "id": "liquibase", + "url": "https://maven.pkg.github.com/liquibase/liquibase", + "releases": { + "enabled": "false" + }, + "snapshots": { + "enabled": "true", + "updatePolicy": "always" + } + }, + { + "id": "liquibase-pro", + "url": "https://maven.pkg.github.com/liquibase/liquibase-pro", + "releases": { + "enabled": "false" + }, + "snapshots": { + "enabled": "true", + "updatePolicy": "always" + } + } + ] + servers: | + [ + { + "id": "liquibase-pro", + "username": "liquibot", + "password": "${{ secrets.LIQUIBOT_PAT }}" + }, + { + "id": "liquibase", + "username": "liquibot", + "password": "${{ secrets.LIQUIBOT_PAT }}" + } + ] + + - name: Run the scanner + id: run_owasp + run: mvn org.owasp:dependency-check-maven:aggregate -DnvdApiKey=${{ secrets.NVD_API_KEY }} -DfailOnError=true + + - name: Upload OWASP Dependency-Check results + if: always() + uses: actions/upload-artifact@v4 + with: + name: owasp-dependency-check + path: ./target/dependency-check-report.html + \ No newline at end of file