CVE Scanning for Gradle #1741

	name: CVE Scanning for Gradle

	on:
	schedule:
	- cron: '0 8,18 * * 1-5'
	pull_request:
	branches: [ main ]
	paths:
	- '**/build.gradle'
	- 'allow-list.xml'
	- '.github/workflows/cve-scanning-gradle.yml'

	jobs:
	scan:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up JDK 17
	uses: actions/setup-java@v4
	with:
	java-version: '17'
	distribution: 'temurin'
	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@v3
	with:
	cache-read-only: ${{ github.ref != 'refs/heads/main' }}
	- name: Build with Gradle
	# The build action is not strictly necessary as dependencyCheckAggregate will build the project
	# but it's good practice to have it as a separate step to catch build errors earlier.
	run: ./gradlew build --no-daemon
	- name: CVEs
	# Using --no-daemon is a good practice in CI environments
	# It prevents potential conflicts or statefulness between job runs.
	run: ./gradlew dependencyCheckAggregate --no-daemon -PdependencyCheck.nvd.apiKey=${{ secrets.NVD_API_KEY }}

Provide feedback