diff --git a/.github/workflows/cve-lite.yml b/.github/workflows/cve-lite.yml new file mode 100644 index 000000000..1243ceb9d --- /dev/null +++ b/.github/workflows/cve-lite.yml @@ -0,0 +1,37 @@ +name: CVE Lite dependency audit + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' + +permissions: + contents: read + security-events: write + +jobs: + scan: + name: Scan dependencies + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan for vulnerabilities + uses: OWASP/cve-lite-cli@99b7b0dcd4c687116890515dbfa8f955871776cc # v1 + with: + fail-on: high + sarif: 'true' + + - name: Upload SARIF to Code Scanning + if: always() + continue-on-error: true + uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + with: + sarif_file: . + category: cve-lite