OWASP Dependency Track Github Action
- Project
- 17005 SCRATCh
- Description
- This GitHub action enables the direct use of a Dependency Track OWASP instance to analyze the source code of our projects in a very convenient way, without requiring neither any human action nor additional service.
- When the code is uploaded or merged to a repository the action is triggered and the vulnerability analysis performed.
- The result is provided and can be used directly within the CD/CI process, for example to prevent users from pushing code with known vulnerabilities. Additionally it also checks the licenses of the added libraries.
- Contact
- Ivan Abalde, Quobis
- Ivan.abalde@quobis.com
- Technical features
Input(s):
- Source code of any programming code hosted in Github. DT OWASP instance URL and API key
Main feature(s):
- It creates a Bill of Materials (BoM) of the source code of a project, uploads it to a OWASP Dependency Track Instance and provides the result within the CI/CD cycle
Output(s):
- It provides a risk score derived from the library versions used in the project
- Integration constraints
It is required an DT OWASP deployed accessible from Internet with valid certificates.
- Targeted customer(s)
Any developer
- Conditions for reuse
Open Source project, public action in Github, MIT license.
- Confidentiality
- Public
- Publication date
- 18-03-2022
- Involved partners
- Quobis (ESP)