chore(deps): Bump the nuget-dependencies group with 16 updates #175
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CVE Scanning for .NET | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| # Run weekly on Monday at 3:00 UTC (aligned with Dependabot schedule) | |
| - cron: '0 3 * * 1' | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| description: 'Branch to scan (defaults to triggering branch)' | |
| required: false | |
| type: string | |
| fail-cvss: | |
| description: 'Fail on CVSS score >= N (0-10, default 7)' | |
| required: false | |
| default: '7' | |
| type: string | |
| enable-suppressions: | |
| description: 'Use suppression file for known false positives' | |
| required: false | |
| default: true | |
| type: boolean | |
| jobs: | |
| dotnet-modules-scan: | |
| name: dotnet-scan | |
| runs-on: ubuntu-latest | |
| continue-on-error: false | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup .NET SDK | |
| uses: actions/setup-dotnet@v5 | |
| with: | |
| dotnet-version: "10.0.x" | |
| - name: Restore dependencies | |
| run: ./build.sh --target Restore | |
| - name: Build project with dotnet | |
| run: dotnet build --configuration Release | |
| - name: List vulnerable libraries | |
| run: dotnet list package --vulnerable --include-transitive | |
| - name: Depcheck | |
| uses: dependency-check/Dependency-Check_Action@1e54355a8b4c8abaa8cc7d0b70aa655a3bb15a6c | |
| id: Depcheck | |
| env: | |
| # For non-dispatch triggers, inputs.enable-suppressions is null/empty, so default to true | |
| ENABLE_SUPPRESSIONS: ${{ inputs.enable-suppressions == false && 'false' || 'true' }} | |
| with: | |
| project: 'morphir-dotnet' | |
| path: '.' | |
| format: 'HTML' | |
| out: 'reports' | |
| args: > | |
| --failOnCVSS ${{ inputs.fail-cvss || '7' }} | |
| --enableRetired | |
| ${{ inputs.enable-suppressions == false && '' || '--suppression ./.github/vuln-scanning/dependency-check-suppressions.xml' }} | |
| - name: Upload Test results | |
| if: ${{ always() }} | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: Depcheck report | |
| path: ${{ github.workspace }}/reports |