Skip to content

Commit b4110d1

Browse files
thpiercethpierce
authored
Merge branch 'master' into pin-github-actions-sha
2 parents 5ec20d2 + ee19ab6 commit b4110d1

1 file changed

Lines changed: 7 additions & 5 deletions

File tree

.github/workflows/daily-scan.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -54,11 +54,13 @@ jobs:
5454
role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
5555
aws-region: ${{ env.AWS_DEFAULT_REGION }}
5656

57-
- name: Get NVD API key for dependency scan
57+
- name: Get secrets for dependency scan
5858
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
5959
id: nvd_api_key
6060
with:
61-
secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
61+
secret-ids: |
62+
${{ secrets.NVD_API_KEY_SECRET_ARN }}
63+
OSS_INDEX, ${{ secrets.OSS_INDEX_SECRET_ARN }}
6264
parse-json-secrets: true
6365

6466
# See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
@@ -72,7 +74,7 @@ jobs:
7274
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
7375
gpg --verify dependency-check.zip.asc
7476
unzip dependency-check.zip
75-
./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s "."
77+
./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }} --ossIndexPassword ${{ env.OSS_INDEX_PASSWORD }} -s "."
7678
7779
- name: Print dependency scan results on failure
7880
if: ${{ steps.dep_scan.outcome != 'success' }}
@@ -81,7 +83,7 @@ jobs:
8183
- name: Perform high severity scan on built artifacts
8284
if: always()
8385
id: high_scan_latest
84-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1
86+
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
8587
with:
8688
scan-type: 'fs'
8789
scan-ref: '.'
@@ -92,7 +94,7 @@ jobs:
9294
- name: Perform low severity scan on built artifacts
9395
if: always()
9496
id: low_scan_latest
95-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1
97+
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
9698
with:
9799
scan-type: 'fs'
98100
scan-ref: '.'

0 commit comments

Comments
 (0)