Skip to content

Security Vulnerability Check on Release Tags #350

Security Vulnerability Check on Release Tags

Security Vulnerability Check on Release Tags #350

# SPDX-License-Identifier: Apache-2.0
# Licensed to the Ed-Fi Alliance under one or more agreements.
# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
# See the LICENSE and NOTICES files in the project root for more information.
name: Security Vulnerability Check on Release Tags
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
permissions: read-all
jobs:
Security-Vulnerability-Check-Each-Release-Tag:
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
tag: ["v5.4-patch1","v6.2-patch2","v7.2","v7.1-patch2"]
name: ${{ matrix.tag }} Security-Vulnerabilities Check
steps:
- name: Checkout Ed-Fi-ODS
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
with:
repository: Ed-Fi-Alliance-OSS/Ed-Fi-ODS
path: Ed-Fi-ODS/
ref: ${{ matrix.tag }}
- name: Execute vulnerability
working-directory: ./Ed-Fi-ODS/
run: |
$slnFiles = Get-ChildItem -Path . -Filter "*.sln" -Recurse | Where-Object { $_.Name -ne "EdFi.ProjectTemplates.sln" }
foreach ($file in $slnFiles) {
dotnet restore $file.FullName | Out-Null
dotnet list $file.FullName package --vulnerable 2>&1 | Tee-Object -FilePath "build.log" -Append | Out-Null
}
# Analyze dotnet list package command log output
$logContent = Get-Content -Path "build.log" -Raw
# Check for vulnerabilities in the log output
if ($logContent -match "critical|high") {
Write-Error "Security Vulnerabilities found"
exit 1
}
shell: pwsh
- name: Upload vulnerability Artifacts
if: success() || failure()
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: vulnerability-report-${{ matrix.tag }}-Artifacts
path: ${{ github.workspace }}/Ed-Fi-ODS/build.log