Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions .github/workflows/cve-lite.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: CVE Lite dependency audit

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly on Monday at 06:00 UTC - catches new advisories between pushes
- cron: '0 6 * * 1'

permissions:
contents: read
security-events: write

jobs:
scan:
name: Scan dependencies
runs-on: ubuntu-latest
timeout-minutes: 10

steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Scan for vulnerabilities
uses: OWASP/cve-lite-cli@2eed959b8641042472d2810444393b88d5454e62 # v1
with:
fail-on: high
sarif: 'true'

- name: Upload SARIF to Code Scanning
if: always() && hashFiles('*.sarif') != ''
uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4
with:
sarif_file: cve-lite-*.sarif

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Point upload-sarif at a real path

In runs where CVE Lite writes its timestamped cve-lite-scan-<timestamp>.sarif, this input is passed literally to github/codeql-action/upload-sarif; the upload action documents sarif_file as a file or directory and its implementation checks the path with fs.existsSync, so it does not expand cve-lite-*.sarif. Because the preceding hashFiles('*.sarif') guard will be true, the upload step fails with Path does not exist: cve-lite-*.sarif instead of publishing the scan results; use the workspace/directory path or a fixed filename.

Useful? React with 👍 / 👎.

category: cve-lite