Skip to content

ci: vulnerability scan tweaks #872

ci: vulnerability scan tweaks

ci: vulnerability scan tweaks #872

Workflow file for this run

name: Vulnerability Scan
on:
schedule:
- cron: "5 0 * * *"
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
jobs:
build:
environment: nvd
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
- name: Install Clojure Tools
uses: DeLaGuardo/[email protected]
with:
cli: 'latest'
bb: 'latest'
- name: Generate Cache Key File
# go with bash instead of bb, we have not downloaded our deps yet
run: |
curl --fail -s \
https://clojars.org/api/artifacts/nvd-clojure | \
jq ".latest_release" | \
tee nvd_check_helper_project/nvd-clojure-version.txt
- name: Restore NVD DB & Clojure Deps Cache
# nvd caches its db under ~/.m2/repository/org/owasp so that it can
# conveniently be cached with deps
uses: actions/cache/restore@v4
with:
path: |
~/.m2/repository
~/.deps.clj
~/.gitlibs
# because we are using a RELEASE version of nvd-clojure
# we also include its version
key: |
nvd-${{ hashFiles(
'nvd_check_helper_project/nvd-clojure-version.txt',
'nvd_check_helper_project/deps.edn',
'nvd_check_helper_project/bb.edn',
'bb.edn') }}
restore-keys: |
nvd-
- name: Download Clojure deps
run: clojure -X:deps prep
working-directory: nvd_check_helper_project
- name: Run NVD Scanner
env:
NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
run: bb nvd-scan
- name: Save NVD DB & Clojure Deps Cache
if: always() # always cache regardless of outcome of nvd scan
uses: actions/cache/save@v4
with:
path: |
~/.m2/repository
~/.deps.clj
~/.gitlibs
# we tack on github.run_id to uniquely identify the cache
# the next cache restore will find the best (and most current) match
key: |
nvd-${{ hashFiles(
'nvd_check_helper_project/nvd-clojure-version.txt',
'nvd_check_helper_project/deps.edn',
'nvd_check_helper_project/bb.edn',
'bb.edn') }}-${{ github.run_id }}