Vulnerability Scan #1221
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Vulnerability Scan | |
| on: | |
| schedule: | |
| - cron: "5 0 * * *" | |
| push: | |
| branches: | |
| - master | |
| jobs: | |
| build: | |
| environment: nvd | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Setup Java | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| - name: Install Clojure Tools | |
| uses: DeLaGuardo/[email protected] | |
| with: | |
| cli: 'latest' | |
| bb: 'latest' | |
| - name: Generate Cache Key File | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: ./ci-versions.sh | |
| working-directory: nvd-scan | |
| - name: Restore NVD DB & Clojure Deps Cache | |
| # nvd caches its db under ~/.m2/repository/org/owasp so that it can | |
| # conveniently be cached with deps | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ~/.m2/repository | |
| ~/.deps.clj | |
| ~/.gitlibs | |
| # because we are using a RELEASE version of nvd-clojure | |
| # we also include its version | |
| key: | | |
| nvd-${{ hashFiles( | |
| 'nvd-scan/target/ci-versions.txt', | |
| 'nvd-scan/*', | |
| '!nvd-scan/.*') }} | |
| restore-keys: | | |
| nvd- | |
| - name: Run NVD Scanner | |
| env: | |
| CLJ_WATSON_NVD_API_KEY: ${{ secrets.CLJ_WATSON_NVD_API_KEY }} | |
| CLJ_WATSON_ANALYZER_OSSINDEX_USER: ${{ secrets.CLJ_WATSON_ANALYZER_OSSINDEX_USER }} | |
| CLJ_WATSON_ANALYZER_OSSINDEX_PASSWORD: ${{ secrets.CLJ_WATSON_ANALYZER_OSSINDEX_PASSWORD }} | |
| run: bb nvd-scan | |
| - name: Save NVD DB & Clojure Deps Cache | |
| if: always() # always cache regardless of outcome of nvd scan | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: | | |
| ~/.m2/repository | |
| ~/.deps.clj | |
| ~/.gitlibs | |
| # we tack on github.run_id to uniquely identify the cache | |
| # the next cache restore will find the best (and most current) match | |
| key: | | |
| nvd-${{ hashFiles( | |
| 'nvd-scan/target/ci-versions.txt', | |
| 'nvd-scan/*', | |
| '!nvd-scan/.*')}}-${{ github.run_id }} |