cve-scanning.yml

name: CVE Scanning

on:
  push:
  workflow_dispatch:

jobs:
  dotnet-modules-scan:
    name: dotnet-scan
    runs-on: ubuntu-latest
    continue-on-error: false

    steps:
      - name: Checkout
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
      - name: Build project with dotnet
        run: dotnet build --configuration Release
        working-directory: 'src'
      - name: List vulnerable libraries
        run: dotnet list package --vulnerable --include-transitive
        working-directory: 'src'
      - name: Depcheck
        uses: dependency-check/Dependency-Check_Action@3102a65fd5f36d0000297576acc56a475b0de98d
        id: Depcheck
        with:
          project: '.'
          path: '.'
          format: 'HTML'
          out: 'reports'
          args: >
            --suppression .cve/allow-list.xml
            --failOnCVSS 7
            --enableRetired
      - name: Upload Test results
        if: ${{ always() }}
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: Depcheck report
          path: ${{ github.workspace }}/reports