Skip to content

Swirrl/nvd-clojure-gh-action

BranchesTags

Repository files navigation

Clojure NVD Dependency Check Action

A simple GitHub action to run nvd-clojure and report an issue when there are vulnerabilities reported.

Warning

This action will create issues on the repository it is activated on. If the repository is public then the issue posted will be public, and it will look like this:

CVEs Found in owner/repo: [CRITICAL, HIGH, MEDIUM, LOW] #1

Ensure that you want this before activating this action on a public repository.

Usage

Add a .github/workflows/main.yml to your project:

name: Clojure NVD Dependency Checking

on:
  workflow_dispatch:
  schedule:
    - cron: "0 1 * * 1-5"

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
      - name: Checkout Latest Commit
        uses: actions/checkout@v2.4.0

      - name: NVD Clojure
        uses: Swirrl/nvd-clojure-gh-action@master
        with:
          ## Below is the only required argument; if your
          ## project only depends on public maven/clojars 
          ## dependencies, this is probably all you need.
          github_token: ${{ secrets.github_token }}

          ## If the clojure project you wish to scan is not 
          ## in the projects root directory you can configure 
          ## the location with this variable.
          # directories: sub-project-dir
          
          ## Uncomment below and setup secrets if you have
          ## need to resolve any `tools.deps` `git/deps` from
          ## private git repositories.
          # ssh_private_key: ${{ secrets.ssh_private_key }}
          
          ## Uncomment and setup secrets below if you have 
          ## any maven dependencies in AWS/S3-wagon buckets
          # aws_access_key_id: ${{ secrets.aws_access_key_id }}
          # aws_secret_access_key: ${{ secrets.aws_secret_access_key }}

Supported Arguments

  • directories: Space separated sub-directories to check. Defaults to the root of the repository.
  • github_token: The only required argument. Can either be the default token, as seen above, or a personal access token with write access to the repository.
  • ssh_private_key: Used to access private repositories over git/SSH, use the private key of the private repo's "Deploy Key".
  • aws_access_key_id: Used to access S3 bucket maven repos.
  • aws_secret_access_key: Used to access S3 bucket maven repos.

Suppressing CVEs

Due to how dependency-check identifies libraries false positives may occur (i.e. a CPE was identified that is incorrect).

Add a file in the Clojure project directory named nvd-clojure-suppress.xml to specify CVE suppressions.

See the DependencyCheck docs, and the example project for details.

Licensing

Copyright © 2022 Swirrl IT Ltd

Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.

About

Automated Github Action to automate scanning of Clojure projects for known vulnerabilities in the National Vulnerability Database

Topics

security security-audit clojure vulnerability nvd vulnerability-scanner github-action

Resources

Readme

License

EPL-1.0 license
Activity
Custom properties

Stars

8 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages