ci: vulnerability scan tweaks #872
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Vulnerability Scan | |
on: | |
schedule: | |
- cron: "5 0 * * *" | |
push: | |
branches: | |
- master | |
pull_request: | |
types: [opened, synchronize, reopened] | |
jobs: | |
build: | |
environment: nvd | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Java | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: 21 | |
- name: Install Clojure Tools | |
uses: DeLaGuardo/[email protected] | |
with: | |
cli: 'latest' | |
bb: 'latest' | |
- name: Generate Cache Key File | |
# go with bash instead of bb, we have not downloaded our deps yet | |
run: | | |
curl --fail -s \ | |
https://clojars.org/api/artifacts/nvd-clojure | \ | |
jq ".latest_release" | \ | |
tee nvd_check_helper_project/nvd-clojure-version.txt | |
- name: Restore NVD DB & Clojure Deps Cache | |
# nvd caches its db under ~/.m2/repository/org/owasp so that it can | |
# conveniently be cached with deps | |
uses: actions/cache/restore@v4 | |
with: | |
path: | | |
~/.m2/repository | |
~/.deps.clj | |
~/.gitlibs | |
# because we are using a RELEASE version of nvd-clojure | |
# we also include its version | |
key: | | |
nvd-${{ hashFiles( | |
'nvd_check_helper_project/nvd-clojure-version.txt', | |
'nvd_check_helper_project/deps.edn', | |
'nvd_check_helper_project/bb.edn', | |
'bb.edn') }} | |
restore-keys: | | |
nvd- | |
- name: Download Clojure deps | |
run: clojure -X:deps prep | |
working-directory: nvd_check_helper_project | |
- name: Run NVD Scanner | |
env: | |
NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }} | |
run: bb nvd-scan | |
- name: Save NVD DB & Clojure Deps Cache | |
if: always() # always cache regardless of outcome of nvd scan | |
uses: actions/cache/save@v4 | |
with: | |
path: | | |
~/.m2/repository | |
~/.deps.clj | |
~/.gitlibs | |
# we tack on github.run_id to uniquely identify the cache | |
# the next cache restore will find the best (and most current) match | |
key: | | |
nvd-${{ hashFiles( | |
'nvd_check_helper_project/nvd-clojure-version.txt', | |
'nvd_check_helper_project/deps.edn', | |
'nvd_check_helper_project/bb.edn', | |
'bb.edn') }}-${{ github.run_id }} |