Owldency is a GitHub action that checks if your application uses dependencies with known vulnerabilities. Actually it supports applications that use Maven, Gradle, and npm as the package manager. Under the hood, it uses OWASP Dependency-Check and npm audit to check the dependencies.
Finishing the analysis, Owldency will generate an artifact that has a HTML file containing the results. For applications that use Maven or Gradle, the HTML file will be generated by OWASP Dependency-Check, and for applications that use npm, it will be generated by npm-audit-html plugin.
The simplest way to add Owldency in your workflow is just adding it as a step of your current workflow.
- name: Owldency
uses: ZupIT/owldency@v1
If you are using Maven or Gradle as your package manager, you must add the OWASP dependency-check plugin in your dependency manager file because the results will be much more accurate. If you're using npm, you can skip this section.
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.1.2</version>
<configuration>
<formats>
<format>HTML</format>
<format>JSON</format>
</formats>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>plugins {
id 'org.owasp.dependencycheck' version '6.1.2'
}
dependencyCheck {
formats = ['HTML', 'JSON']
}Take care with your .gitignore file, because this action needs gradlew file to execute dependency-check plugin, if your .gitignore file is ignoring gradle-wrapper.jar and gradle-wrapper.properties, this action will not run as expected.
name: Owldency
on: push
jobs:
owldency:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Owldency
uses: ZupIT/owldency@v1
Owldency project icons made by Freepik, Roundicons, Icongeek26 and Darius Dan from Flaticon. The source code is licensed under Apache-2.0.