This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 7717745b31c6 chore(ci): add OWASP dependency check scheduled workflow
7717745b31c6 is described below
commit 7717745b31c6e284611c8cb152a9a2871626be22
Author: Guillaume Nodet <[email protected]>
AuthorDate: Thu Dec 4 07:24:21 2025 +0000
chore(ci): add OWASP dependency check scheduled workflow
Add a new GitHub Actions workflow that runs the OWASP dependency-check
plugin on a weekly schedule (Sundays at 4 AM UTC) to scan for known
security vulnerabilities in project dependencies.
Features:
- Uses the existing dependencycheck Maven profile
- Uploads HTML and JSON reports as artifacts (retained for 30 days)
- Can be manually triggered via workflow_dispatch
- Provides a job summary with basic status information
This helps maintain security visibility and catch vulnerable
dependencies before they become a problem.
---
.github/workflows/security-scan.yml | 63 +++++++++++++++++++++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/.github/workflows/security-scan.yml
b/.github/workflows/security-scan.yml
new file mode 100644
index 000000000000..21ef3807dba4
--- /dev/null
+++ b/.github/workflows/security-scan.yml
@@ -0,0 +1,63 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: Security Vulnerability Scan
+
+on:
+ schedule:
+ # Weekly on Sundays at 4 AM UTC
+ - cron: '0 4 * * 0'
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ owasp-check:
+ if: github.repository == 'apache/camel'
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ persist-credentials: false
+ - name: Set up JDK 17
+ uses: actions/setup-java@v4
+ with:
+ distribution: 'temurin'
+ java-version: '17'
+ cache: 'maven'
+ - name: OWASP Dependency Check
+ run: ./mvnw -B -Pdependencycheck validate -DskipTests -l
owasp-check.log
+ - name: Upload OWASP Report
+ uses: actions/upload-artifact@v4
+ if: always()
+ with:
+ name: owasp-dependency-check-report
+ path: |
+ **/target/dependency-check-report.html
+ **/target/dependency-check-report.json
+ owasp-check.log
+ retention-days: 30
+ - name: Job Summary
+ if: always()
+ run: |
+ echo "## OWASP Dependency Check Results" >> $GITHUB_STEP_SUMMARY
+ echo "" >> $GITHUB_STEP_SUMMARY
+ echo "The OWASP dependency check has completed." >>
$GITHUB_STEP_SUMMARY
+ echo "Download the artifacts for detailed HTML and JSON reports." >>
$GITHUB_STEP_SUMMARY
+
