ITEA is the Eureka Cluster on software innovation
ITEA is the Eureka Cluster on software innovation
Please note that the ITEA Office will be closed from 25 December 2024 to 1 January 2025 inclusive.
ITEA 4 page header azure circular

OWASP Dependency Track Github Action

Project
17005 SCRATCh
Description
  • This GitHub action enables the direct use of a Dependency Track OWASP instance to analyze the source code of our projects in a very convenient way, without requiring neither any human action nor additional service.
  • When the code is uploaded or merged to a repository the action is triggered and the vulnerability analysis performed.
  • The result is provided and can be used directly within the CD/CI process, for example to prevent users from pushing code with known vulnerabilities. Additionally it also checks the licenses of the added libraries.
Contact
Ivan Abalde, Quobis
Email
Ivan.abalde@quobis.com
Technical features

Input(s):

  • Source code of any programming code hosted in Github. DT OWASP instance URL and API key

Main feature(s):

  • It creates a Bill of Materials (BoM) of the source code of a project, uploads it to a OWASP Dependency Track Instance and provides the result within the CI/CD cycle

Output(s):

  • It provides a risk score derived from the library versions used in the project
Integration constraints

It is required an DT OWASP deployed accessible from Internet with valid certificates.

Targeted customer(s)

Any developer

Conditions for reuse

Open Source project, public action in Github, MIT license.

Confidentiality
Public
Publication date
18-03-2022
Involved partners
Quobis (ESP)