Dependency Risk Identification
This workflow identifies potential security vulnerabilities in a project's dependencies. It requires a Software Bill of Materials (SBOM) as input to analyze and ensure that all dependencies are secure and up to date.
The dependency-risk-identification
accepts the following inputs:
Name | Description | Required | Default Value |
---|---|---|---|
api-url | URL of the DevGuard API | No | https://api.main.devguard.org |
asset-name | Name of the asset to be scanned | Yes | |
sbom-file | Path to the SBOM file to be scanned | Yes | sbom.json |
sbom-artifact-name | Name of the SBOM artifact to be downloaded | No | '' |
Usage Examples:
if you have the sbom in the repository:
name: DevGuard Workflow
on:
push
jobs:
devguard-dependency-risk-identification:
uses: l3montree-dev/devguard-action/.github/workflows/dependency-risk-identification.yml@main
with:
api-url: https://api.main.devguard.org
asset-name: 'myOrgnaization/projects/myProject/assets/myAsset'
sbom-file: "./sbom.json"
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
if you have the sbom in an artifact from a previous job, you need to upload the artifact first:
name: DevGuard Workflow
on:
push
jobs:
software-composition-analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
persist-credentials: false
- name: Run Trivy SBOM Scan
run: |
docker run --rm -v $(pwd):/project aquasec/trivy:latest sbom --format cyclonedx /project > sbom.json
continue-on-error: true
- name: Upload Software Composition Analysis Report
uses: actions/upload-artifact@v4
with:
name: sbom-report
path: sbom.json
dependency-risk-identification:
needs: software-composition-analysis
uses: l3montree-dev/devguard-action/.github/workflows/code-risk-identification.yml@feautre/sarif-sbom-upload-actions
with:
api-url: https://api.main.devguard.org
asset-name: 'myOrgnaization/projects/myProject/assets/myAsset'
sarif-artifact-name: sbom-report
sarif-file: sbom.json
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}