feat: Add Dependabot and CVE scanning workflows (#56)

marcosbarbero · claude · web-flow · commit 2b12bd4c8ee6 · 2026-03-27T16:53:26.000+01:00
* feat: Add Dependabot for dependency updates and CVE scanning workflow - Add Dependabot config for Maven dependencies (grouped by ecosystem) and GitHub Actions, running weekly on Mondays - Add CVE scan workflow with: - OSSF Scorecard for supply chain security - Dependency Review on PRs (blocks on high severity or GPL licenses) - Trivy filesystem scan for known vulnerabilities - All scan results uploaded as SARIF to GitHub Security tab Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: Update trivy-action to v0.35.0 The 0.28.0 version was flagged as compromised (GHSA-69fq-xp46-6x23) and could not be resolved. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: Pin all GitHub Actions by commit SHA and fix Trivy build step - Pin all actions across ci.yml, release.yml, and cve-scan.yml to commit SHAs to satisfy OSSF Scorecard pinned-dependencies check - Scope permissions per-job instead of top-level in cve-scan.yml - Change mvn dependency:resolve to mvn install -DskipTests so inter-module SNAPSHOT artifacts are available for Trivy scan Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: Revert to version tags for actions and fix Trivy build step Revert SHA pinning back to readable version tags — Dependabot keeps them updated. Keep the actual fix: mvn install -DskipTests for Trivy and per-job permissions scoping in cve-scan.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,45 @@
+version: 2
+updates:
+  # Maven dependencies
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+    groups:
+      kotlin:
+        patterns:
+          - "org.jetbrains.kotlin*"
+          - "org.jetbrains.dokka*"
+      spring-boot:
+        patterns:
+          - "org.springframework.boot*"
+          - "org.springframework*"
+      jackson:
+        patterns:
+          - "tools.jackson*"
+          - "com.fasterxml.jackson*"
+      testing:
+        patterns:
+          - "io.kotest*"
+          - "io.mockk*"
+          - "org.testcontainers*"
+          - "au.com.dius.pact*"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "ci"
diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
@@ -0,0 +1,94 @@
+name: CVE Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    # Run every Monday at 06:00 UTC
+    - cron: '0 6 * * 1'
+
+permissions: {}
+
+jobs:
+  ossf-scorecard:
+    name: OSSF Scorecard
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Run OSSF Scorecard
+        uses: ossf/scorecard-action@v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+  dependency-review:
+    name: Dependency Review
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          deny-licenses: GPL-2.0, GPL-3.0, AGPL-3.0
+
+  trivy:
+    name: Trivy Vulnerability Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 25
+
+      - name: Cache Maven dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: Build to resolve dependencies
+        run: mvn install -B -q -DskipTests
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+
+      - name: Upload Trivy SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
