Merge pull request #460 from NHSDigital/feature/eja-eli-434-adding-owasp-dependency-scan

eddalmond1 · web-flow · commit 8566dc88e53e · 2025-11-07T16:17:31.000Z
Feature/eja eli 434 adding owasp dependency scan
diff --git a/.github/actions/owasp-dependency-scan/action.yaml b/.github/actions/owasp-dependency-scan/action.yaml
@@ -0,0 +1,20 @@
+name: "OWASP Dependency Scan"
+description: "Scan dependencies for known vulnerabilities using OWASP Dependency-Check"
+runs:
+  using: "composite"
+  steps:
+    - name: "Run OWASP Dependency-Check"
+      uses: dependency-check/Dependency-Check_Action@main
+      id: Depcheck
+      with:
+        project: "eligibility-signposting-api"
+        path: "."
+        format: "SARIF"
+        out: "reports"
+        args: >
+          --failOnCVSS 7
+          --enableRetired
+    - name: "Upload OWASP results to GitHub Security tab"
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: reports/dependency-check-report.sarif
diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
@@ -89,6 +89,9 @@ jobs:
   checkov-terraform:
     name: "Checkov Terraform"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 3
     steps:
       - name: "Checkout code"
@@ -100,11 +103,10 @@ jobs:
           soft_fail: false
           output_format: sarif
           output_file_path: checkov-report.sarif
-      - name: Upload Checkov results to GitHub Security tab
-        uses: actions/upload-artifact@v5
+      - name: "Upload Checkov results to GitHub Security tab"
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          name: checkov_results
-          path: checkov-report.sarif
+          sarif_file: checkov-report.sarif
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest
@@ -143,3 +145,15 @@ jobs:
           idp_aws_report_upload_region: "${{ secrets.IDP_AWS_REPORT_UPLOAD_REGION }}"
           idp_aws_report_upload_role_name: "${{ secrets.IDP_AWS_REPORT_UPLOAD_ROLE_NAME }}"
           idp_aws_report_upload_bucket_endpoint: "${{ secrets.IDP_AWS_REPORT_UPLOAD_BUCKET_ENDPOINT }}"
+  owasp-dependency-scan:
+    name: "OWASP Dependency Scan"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+      - name: "Run OWASP Dependency Scan"
+        uses: ./.github/actions/owasp-dependency-scan
