CVE Scanning for Gradle #1756
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CVE Scanning for Gradle | |
| on: | |
| schedule: | |
| - cron: '0 8,18 * * 1-5' | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - '**/build.gradle' | |
| - 'allow-list.xml' | |
| - '.github/workflows/cve-scanning-gradle.yml' | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v3 | |
| with: | |
| cache-read-only: ${{ github.ref != 'refs/heads/main' }} | |
| - name: Build with Gradle | |
| # The build action is not strictly necessary as dependencyCheckAggregate will build the project | |
| # but it's good practice to have it as a separate step to catch build errors earlier. | |
| run: ./gradlew build --no-daemon | |
| - name: CVEs | |
| # Using --no-daemon is a good practice in CI environments | |
| # It prevents potential conflicts or statefulness between job runs. | |
| run: ./gradlew dependencyCheckAggregate --no-daemon -PdependencyCheck.nvd.apiKey=${{ secrets.NVD_API_KEY }} |