Skip to content

chore(ci): add OWASP dependency check scheduled workflow #20228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
gnodet wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore(ci): add OWASP dependency check scheduled workflow #20228

gnodet wants to merge 1 commit into from
+63 −0

Conversation

@gnodet
Copy link
Contributor

@gnodet gnodet commented Dec 4, 2025
edited
Loading

Add a new GitHub Actions workflow that runs the OWASP dependency-check plugin on a weekly schedule (Sundays at 4 AM UTC) to scan for known security vulnerabilities in project dependencies.

Features:

  • Uses the existing dependencycheck Maven profile
  • Uploads HTML and JSON reports as artifacts (retained for 30 days)
  • Can be manually triggered via workflow_dispatch
  • Provides a job summary with basic status information

This helps maintain security visibility and catch vulnerable dependencies before they become a problem.

@gnodet
chore(ci): add OWASP dependency check scheduled workflow
026b3d9 
Add a new GitHub Actions workflow that runs the OWASP dependency-check
plugin on a weekly schedule (Sundays at 4 AM UTC) to scan for known
security vulnerabilities in project dependencies.

Features:
- Uses the existing dependencycheck Maven profile
- Uploads HTML and JSON reports as artifacts (retained for 30 days)
- Can be manually triggered via workflow_dispatch
- Provides a job summary with basic status information

This helps maintain security visibility and catch vulnerable
dependencies before they become a problem.
@claudio4j
Copy link
Contributor

claudio4j commented Dec 4, 2025

Running the dependecy-check locally took a good chunk of time, there is this warning message

[WARNING] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key

We can obtain an api key and set it securely in GH secrets. Perhaps Apache Infra already has this api key for other project which we can use ?

@squakez
Copy link
Contributor

squakez commented Feb 5, 2026

@gnodet I think this is good to merge: is there still anything left?

@oscerd
Copy link
Contributor

oscerd commented Feb 5, 2026

It's ok IMO, but maybe we should get an api key

@squakez
Copy link
Contributor

squakez commented Feb 5, 2026

It's ok IMO, but maybe we should get an api key

I've not tried locally. How much time does it takes to execute? Considering it's a side support weekly action, even if it takes a couple of hours I think it would be fine to accept as it is. And it can be definitely improved along the way reporting a follow up issue in Jira.

@oscerd
Copy link
Contributor

oscerd commented Feb 5, 2026

Last time I tried it locally and without an api key, I had around 45 minutes.

@squakez
Copy link
Contributor

squakez commented Feb 5, 2026

Okey, I've created this issue: https://issues.apache.org/jira/browse/CAMEL-22959 - I'm in charge to ask for the key and store it secretely for eventually using it. In the while, if @gnodet is okey with it, it's good for me to merge.

@squakez
Copy link
Contributor

squakez commented Feb 9, 2026

I've created the API key which we may include in this PR or at a later stage. It's NVD_API_KEY and should be available for any action which is not triggered from forks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oscerd oscerd oscerd approved these changes

@squakez squakez squakez approved these changes

Assignees

No one assigned

Labels

camel-4

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gnodet @claudio4j @squakez @oscerd