Daily NuGet Vulnerability Scan #98
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Daily NuGet Vulnerability Scan" | |
| on: | |
| push: | |
| branches: | |
| - none | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 12 * * 2' # Runs at 12:00 UTC, only on Tuesday | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| env: | |
| DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} | |
| steps: | |
| - name: Checkout master branch | |
| uses: actions/checkout@v6 | |
| - name: Use .NET SDKs | |
| uses: actions/setup-dotnet@v5 | |
| with: | |
| dotnet-version: | | |
| 10.0.x | |
| 8.0.x | |
| 6.0.x | |
| - name: ♻️ Restore Nuget Packages | |
| run: dotnet restore | |
| - name: "🔓 Check NuGet vulnerabilities" | |
| run: | | |
| dotnet list package --vulnerable --include-transitive 2>&1 | tee build.log | |
| if grep -qi -w -E 'critical|high|moderate|low' build.log; then | |
| echo "Security vulnerabilities found in the log output" | |
| exit 1 | |
| else | |
| echo "No vulnerabilities detected" | |
| fi | |
| shell: bash | |
| - name: ⏳ Check deprecated NuGet packages | |
| run: | | |
| dotnet list package --deprecated 2>&1 | tee deprecated.log | |
| if grep -qi 'has the following deprecated packages' deprecated.log; then | |
| echo "Deprecated packages detected in output" | |
| exit 1 | |
| else | |
| echo "No deprecated packages detected" | |
| fi | |
| shell: bash | |
| - name: "🤖 Install security-scan and run" | |
| run: | | |
| dotnet tool install --global security-scan || true | |
| security-scan ./src/PrivatePdfConverter/PrivatePdfConverter.csproj | |
| shell: bash | |
| - name: "🚨 Security Alert" | |
| run: | | |
| $webhookUrl = $env:DISCORD_WEBHOOK_URL | |
| if (-not [string]::IsNullOrEmpty($webhookUrl)) { | |
| $repo = $env:GITHUB_REPOSITORY | |
| $runId = $env:GITHUB_RUN_ID | |
| $buildUrl = "https://github.com/$repo/actions/runs/$runId" | |
| $branch = $env:GITHUB_REF_NAME | |
| $message = "🛡️ **SECURITY ALERT** - Vulnerabilities or deprecated packages detected in the repository!`n📊 **Run:** [#$runId]($buildUrl)`n🔗 **Repository:** $repo`n🌿 **Ref:** $branch" | |
| $payload = @{ content = $message } | ConvertTo-Json | |
| Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" | |
| } | |
| shell: pwsh | |
| if: failure() |