OtherGitHub WorkflowsDependency Risk Identification

Dependency Risk Identification

This workflow identifies potential security vulnerabilities in a project's dependencies. It requires a Software Bill of Materials (SBOM) as input to analyze and ensure that all dependencies are secure and up to date.

The dependency-risk-identification accepts the following inputs:

NameDescriptionRequiredDefault Value
api-urlURL of the DevGuard APINohttps://api.main.devguard.org
asset-nameName of the asset to be scannedYes
sbom-filePath to the SBOM file to be scannedYessbom.json
sbom-artifact-nameName of the SBOM artifact to be downloadedNo''

Usage Examples:

if you have the sbom in the repository:

name: DevGuard Workflow
 
on:
    push
 
jobs:
    devguard-dependency-risk-identification:
        uses: l3montree-dev/devguard-action/.github/workflows/dependency-risk-identification.yml@main
        with:
          api-url: https://api.main.devguard.org
          asset-name: 'myOrgnaization/projects/myProject/assets/myAsset'
          sbom-file: "./sbom.json" 
        secrets:
          devguard-token: ${{ secrets.DEVGUARD_TOKEN }}    

if you have the sbom in an artifact from a previous job, you need to upload the artifact first:

name: DevGuard Workflow
 
on:
    push
jobs:
    software-composition-analysis:
      runs-on: ubuntu-latest
      steps:
        - name: Checkout code
          uses: actions/checkout@v4
          with:
            submodules: recursive
            fetch-depth: 0
            persist-credentials: false
 
      - name: Run Trivy SBOM Scan
        run: |
          docker run --rm -v $(pwd):/project aquasec/trivy:latest sbom --format cyclonedx /project > sbom.json
        continue-on-error: true
       
        - name: Upload Software Composition Analysis Report
          uses: actions/upload-artifact@v4
          with:
            name: sbom-report
            path: sbom.json
 
    dependency-risk-identification:
        needs: software-composition-analysis
        uses: l3montree-dev/devguard-action/.github/workflows/code-risk-identification.yml@feautre/sarif-sbom-upload-actions
        with:
          api-url: https://api.main.devguard.org
          asset-name: 'myOrgnaization/projects/myProject/assets/myAsset'
          sarif-artifact-name: sbom-report
          sarif-file: sbom.json
        secrets:
          devguard-token: ${{ secrets.DEVGUARD_TOKEN }}