fix(daily-scan): scan published artifacts instead of repo source (#115)

Author: thpierce

.github/workflows/daily-scan.yml

@@ -33,10 +33,12 @@ jobs:
         with:
           ruby-version: '3.0'
 
-      - name: Build Ruby project for scanning
+      - name: Install published package for scanning
         run: |
-          bundle config set --local path 'vendor/bundle'
-          bundle install
+          mkdir -p scan-target && cd scan-target
+          echo 'source "https://rubygems.org"' > Gemfile
+          echo 'gem "aws-xray-sdk"' >> Gemfile
+          bundle install --path vendor/bundle
 
       - name: Install Java for dependency scan
         uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #v5.0.0
@@ -70,7 +72,7 @@ jobs:
           curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
           gpg --verify dependency-check.zip.asc
           unzip dependency-check.zip
-          ./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }} --ossIndexPassword ${{ env.OSS_INDEX_PASSWORD }} -s "."
+          ./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }} --ossIndexPassword ${{ env.OSS_INDEX_PASSWORD }} -s "scan-target/"
 
       - name: Print dependency scan results on failure
         if: ${{ steps.dep_scan.outcome != 'success' }}