Skip to content

Add dependency vulnerability scanning to CI #242

Description

@zantvoort

The CI pipeline does not scan for known-CVE transitive dependencies. The 1.13 security audit reviewed the runtime dependency inventory manually and found none, but an automated gate keeps that true across updates.

Add an OWASP Dependency-Check (or equivalent) job to ci.yml, failing on high-severity advisories in the compile-scope dependency graph. Test and provided scope (Spring Boot, Jackson, drivers) are the user's responsibility and can be excluded or reported non-failing.

Also consider (lower priority): pinning the first-party GitHub Actions (actions/*, gradle/*, codecov/*) to commit SHAs rather than major-version tags, for supply-chain defense on the release workflows.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions