Closed binkley closed 4 months ago
Not done:
Done:
See discussion in https://github.com/earthly/earthly/issues/1470#issuecomment-2123421044 for passing secrets to Earthly.
Performance is improved using the NVD API key, but in Earthly still slow compared to directly calling Gradle or Maven.
In all cases, the NVD API key should be a secret for the build passed in by GitHub (
${{ secrets.OWASP_NVD_API_KEY }}
) and never appear in build log output. This should also work for local builds when usingexport OWASP_NVD_API_KEY=...
.20m builds in CI for Earthly container vs 2m builds when calling Gradle or Maven directly is a clear sign the API key isn't getting passed into the container. (The extra time is for pulling down the CVE data files.)
See related discussion: https://github.com/earthly/earthly/issues/1470#issuecomment-2123352604
First acceptance criteria
Two cases:
OWASP_NVD_API_KEY
.Second acceptance criteria
See
466