diff --git a/.github/workflows/eumserver_security_check.yml b/.github/workflows/eumserver_security_check.yml new file mode 100644 index 0000000..6eb1f8a --- /dev/null +++ b/.github/workflows/eumserver_security_check.yml @@ -0,0 +1,52 @@ +name: EUM Server Tests + +on: +# schedule: +# - cron: "* * * * *" + # "0 8 1,15 * *" At 08:00 on day-of-month 1 and 15. + push: + +jobs: + security-check: + name: Security Check + runs-on: ubuntu-latest + container: openjdk:17-jdk-slim + steps: + - uses: actions/checkout@v3 + - name: Grant execute permission for gradlew + run: chmod +x gradlew + - name: build + run: ./gradlew assemble + # the action has not been updated a while, but it always uses the latest plugin version + - name: Run DependencyCheck plugin + uses: dependency-check/Dependency-Check_Action@main + id: depcheck + continue-on-error: true # we still want to upload the report + with: + project: ${{ github.repository }} + path: '.' + format: 'HTML' + out: 'reports' + args: > + --failOnCVSS 6 + --suppression dependencyCheckSuppression.xml + --disableAssembly + --nvdApiKey ${{ secrets.NVD_API_KEY }} + --nvdApiDelay 10000 + - name: Upload test results + uses: actions/upload-artifact@v3 + with: + name: dependency-check-report-eum-server + path: ${{ github.workspace }}/reports + - name: Send Notification + uses: slackapi/slack-github-action@v2.0.0 + with: + webhook: "https://hooks.slack.com/services/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" # just for testing ;) + webhook-type: incoming-webhook + payload: | + text: "*GitHub Action build result*: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}" + blocks: + - type: "section" + text: + type: "mrkdwn" + text: "GitHub Action build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"