Closed javixeneize closed 1 year ago
jeremylong
commented
3 years ago I think it would be best if it were moved to https://github.com/dependency-check
We have a few other integrations that are maintained by other contributors in the dependency-check org.
javixeneize
commented
3 years ago Yeah, i can do it. You mean creating a new project there? I dont think i have access to do it.
javixeneize
commented
3 years ago Hi. Can you give me access to that organisation to put the action there? Thanks
jeremylong
commented
3 years ago @javixeneize I just sent you an invite to give you access to the forked repo here: https://github.com/dependency-check/Depcheck_action
javixeneize
commented
3 years ago Thanks. I have created three project in SantanderSecurityResearch:
https://github.com/Santandersecurityresearch/DependencyCheck_Builder https://github.com/Santandersecurityresearch/DependencyCheck_Action https://github.com/Santandersecurityresearch/DependencyCheck_Test
If you can fork those three project instead of the other one it would be great.
The first one is a project that runs every night at midnight and builds a new image with the updated database. This is the image that will be used inside the action. The second one, is the action itself The third one, is a test project. It needs a project to be analysed. I have suggested a helloworld but feel free to change it to any other test project you might have
There are some pending points:
Where should the daily updated image be stored in dockerhub? I would suggest owasp/dependency_check_action. This needs to be amended in the workflow. I dont have a user with permissions to push to that project, but the workflow i have created is prepared to use secrets for the username and password to push that image. Those needs to be added to the repo
The action needs to refer to that image created in the previous step. Also, more optional steps need to be added there, but this is a start
We need to agree a name for the action. Also, a hello-world project needs to be added to run the test
Do you have a slack channel or something similar where we can discuss about those points?
Thanks
jeremylong
commented
3 years ago done
javixeneize
commented
3 years ago Thanks. How can we agree on the pending points?
Thanks
jeremylong
commented
3 years ago Regarding the location - owasp/dependency-check-action would be fine. I sent an email about access rights.
I'm fine with whatever name you want to use for the action.
Hi Jeremy
I have benefitted a lot from your tool and your support so its time to contribute back to this project ;)
I have built a github action, this is quite easy, to run dependency check in a github workflow
This is the git where i have it - https://github.com/javixeneize/Depcheck_action. Note it is not completed, i have just set a couple of parameters to test, so more input parameters will be needed there.
And this is an example of the pipeline running - https://github.com/javixeneize/Depcheck_action/runs/1485294127?check_suite_focus=true
I think it would be a good addition to this project. Do you want me to do a PR against your repo with this?
I can release the action to the marketplace, but i think it will be better if this is released by you, as people will trust it more if it comes from an official source
Thanks