Security Scans #90
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scans | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| schedule: | |
| - cron: "0 3 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| # NOTE: actions/dependency-review-action has been intentionally removed. | |
| # It hard-requires GitHub Advanced Security (GHAS) on private repositories — | |
| # the Dependency Graph being enabled is necessary but not sufficient. | |
| # GHAS is only available on GitHub Enterprise plans. | |
| # Equivalent coverage is provided by dotnet-vulnerability-scan below, | |
| # which uses `dotnet list --vulnerable` and needs no special GitHub features. | |
| dotnet-vulnerability-scan: | |
| name: .NET Vulnerability Audit | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 | |
| with: | |
| dotnet-version: 8.0.x | |
| - name: Cache NuGet packages | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 | |
| with: | |
| path: ~/.nuget/packages | |
| key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }} | |
| restore-keys: ${{ runner.os }}-nuget- | |
| - name: Restore | |
| run: dotnet restore CompanyManagementSystem.sln | |
| - name: Scan for vulnerable packages | |
| run: | | |
| echo "=== NuGet Vulnerability Scan ===" | |
| dotnet list CompanyManagementSystem.sln package --vulnerable --include-transitive 2>&1 | tee vuln-report.txt | |
| if grep -q "has the following vulnerable packages" vuln-report.txt; then | |
| echo "" | |
| echo "::error::Vulnerable packages detected! See report above." | |
| echo "Fix by upgrading packages or pinning secure transitive versions in .csproj files." | |
| exit 1 | |
| else | |
| echo "No known vulnerable packages found." | |
| fi | |
| - name: Check for deprecated packages | |
| run: | | |
| echo "=== Deprecated Package Check ===" | |
| dotnet list CompanyManagementSystem.sln package --deprecated 2>&1 | tee deprecated-report.txt | |
| if grep -q "has the following deprecated packages" deprecated-report.txt; then | |
| echo "::warning::Deprecated NuGet packages detected. Consider updating." | |
| else | |
| echo "No deprecated packages found." | |
| fi |