Security Scan with OWASP Dependency Check and Trivy #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan with OWASP Dependency Check and Trivy | |
| on: | |
| schedule: | |
| - cron: '0 0 * * 1' # Roda toda segunda-feira à meia-noite | |
| workflow_dispatch: | |
| jobs: | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| cache: maven | |
| - name: Build with Maven | |
| run: mvn -B package --file securetimenotes/pom.xml | |
| - name: Run the application | |
| run: | | |
| nohup mvn spring-boot:run --file securetimenotes/pom.xml & | |
| sleep 30 # Espera a aplicação inicializar no localhost:8081 | |
| - name: Run OWASP Dependency Check | |
| uses: dependency-check/Dependency-Check_Action@main | |
| with: | |
| project: "MyJavaProject" | |
| path: "securetimenotes/pom.xml" | |
| format: "HTML, JSON" | |
| out: "reports" | |
| env: | |
| JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.14-7/x64 | |
| - name: Install Trivy | |
| run: | | |
| sudo apt-get install wget -y | |
| wget https://github.com/aquasecurity/trivy/releases/download/v0.46.0/trivy_0.46.0_Linux-64bit.tar.gz | |
| tar -xzf trivy_0.46.0_Linux-64bit.tar.gz | |
| sudo mv trivy /usr/local/bin/ | |
| - name: Run Trivy on project | |
| run: trivy fs --exit-code 1 --severity HIGH,CRITICAL . | |
| - name: Install OWASP ZAP | |
| run: | | |
| sudo apt-get install zaproxy | |
| - name: Run OWASP ZAP Scan | |
| run: | | |
| zap-baseline.py -t http://localhost:8081 |