Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Verified Commit e877fefb authored by Romain Hunault's avatar Romain Hunault 🚴🏻
Browse files

ci(security): add dependency-check scan job

parent 6aa94810

.gitlab-ci.yml

+24 −0
Original line number Diff line number Diff line
@@ -166,6 +166,30 @@ high-critical-scan: 
    paths:

      - trivy-fs-junit.xml



dependency-vuln-scan:

  image: owasp/dependency-check:latest

  stage: code-quality

  <<: *build_rules

  needs: []

  variables:

    DEPENDENCY_CHECK_DATA: ".dependency-check-data"

  script:

    - mkdir -p dependency-check-report

    - |

      if [ -n "$NVD_API_KEY" ]; then

        dependency-check.sh --scan . --project "$CI_PROJECT_PATH_SLUG" --data "$DEPENDENCY_CHECK_DATA" --format "JSON" --format "HTML" --format "JUNIT" --out dependency-check-report --nvdApiKey "$NVD_API_KEY" --failOnCVSS 7 --junitFailOnCVSS 7

      else

        dependency-check.sh --scan . --project "$CI_PROJECT_PATH_SLUG" --data "$DEPENDENCY_CHECK_DATA" --format "JSON" --format "HTML" --format "JUNIT" --out dependency-check-report --failOnCVSS 7 --junitFailOnCVSS 7

      fi

  artifacts:

    when: always

    reports:

      junit:

        - dependency-check-report/*junit*.xml

        - dependency-check-report/*JUNIT*.xml

    paths:

      - dependency-check-report/



generate-apks:

  stage: build

  <<: *rules_publish