-
Notifications
You must be signed in to change notification settings - Fork 0
39 lines (34 loc) · 1.19 KB
/
vulnerability_scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Vulnerability Scan
on:
pull_request:
types: [opened]
workflow_dispatch: # Allow manual trigger
permissions:
pull-requests: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
# Github Code Checkout Action
- name: Git Checkout
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
license-check: false
comment-summary-in-pr: always
- name: Report
if : ${{ failure() && steps.review.outputs.comment-content }}
shell: bash
env:
COMMENT: ${{ steps.review.outputs.comment-content }}
run: |
echo "$COMMENT"
- name: List Vulnerable Dependencies
if: ${{ failure() && steps.review.conclusion == 'failure' }}
shell: bash
env:
VULNERABLE_CHANGES: ${{ steps.review.outputs.vulnerable-changes }}
run: |
echo "$VULNERABLE_CHANGES" | jq '.[].package_url'