Dependency Risk Identification GitHub Workflow
This workflow identifies potential security vulnerabilities in a project's dependencies. It requires a Software Bill of Materials (SBOM) as input to analyze and ensure that all dependencies are secure and up to date.
The dependency-risk-identification workflow accepts the following inputs:
| Name | Description | Required | Default Value |
|---|---|---|---|
asset-name | Name of the asset to be scanned | Yes | |
api-url | URL of the DevGuard API | No | https://api.devguard.org |
sbom-file | Path to the SBOM file to be scanned | Yes | sbom.json |
sbom-artifact-name | Name of the SBOM artifact to be downloaded | No | "" (empty string) |
artifact-name | Name of the artifact you are building | No | source |
web-ui | URL of the DevGuard Web UI used for links | No | https://app.devguard.org |
fail-on-risk | Fails if a dependency has this risk level or higher (none, low, medium, high, critical) | No | critical |
fail-on-cvss | Fails if a dependency has this CVSS severity or higher (none, low, medium, high, critical) | No | critical |
Required secret:
| Name | Description | Required |
|---|---|---|
devguard-token | DevGuard API token | Yes |
Template Example
Usage Examples
If you have the SBOM in the repository:
If you have the SBOM in an artifact from a previous job, upload it first: