Implementing Comprehensive Dependency Scanning
Implementing Comprehensive Dependency Scanning
Effective dependency scanning requires multiple complementary approaches. Static scanning analyzes dependency manifests to identify known vulnerabilities. Dynamic analysis examines actual dependency behavior during runtime. License scanning ensures compliance with organizational policies. Each scanning type provides unique insights into dependency risks.
# GitHub Actions comprehensive dependency scanning workflow
name: Dependency Security Analysis
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
# Daily vulnerability check
- cron: '0 9 * * *'
jobs:
# Multi-language dependency scanning
dependency-check:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- language: javascript
directory: ./frontend
- language: python
directory: ./backend
- language: java
directory: ./services
- language: go
directory: ./tools
steps:
- uses: actions/checkout@v3
- name: Set up language environment
uses: actions/setup-${{ matrix.language }}@v3
with:
${{ matrix.language }}-version: 'latest'
# OWASP Dependency Check
- name: Run OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'myproject-${{ matrix.language }}'
path: '${{ matrix.directory }}'
format: 'ALL'
args: >
--enableRetired
--enableExperimental
--suppression suppression.xml
# Snyk vulnerability scanning
- name: Run Snyk scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
cd ${{ matrix.directory }}
npx snyk test --all-projects --detection-depth=6
npx snyk monitor --all-projects
# GitHub native dependency scanning
- name: Submit Dependency Snapshot
uses: actions/dependency-review-action@v3
with:
source-path: ${{ matrix.directory }}
# License compliance checking
- name: License Scanner
uses: fossas/fossa-action@main
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
path: ${{ matrix.directory }}
# Software Bill of Materials generation
sbom-generation:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Generate SBOM with Syft
uses: anchore/[email protected]
with:
path: "."
output: "sbom.spdx.json"
format: "spdx-json"
- name: Generate CycloneDX SBOM
run: |
# Install CycloneDX tools
npm install -g @cyclonedx/cdxgen
# Generate SBOMs for different package managers
cdxgen -o sbom-npm.json -t npm .
cdxgen -o sbom-pip.json -t pip .
cdxgen -o sbom-maven.json -t maven .
# Merge SBOMs
cyclonedx merge --input sbom-*.json --output sbom-complete.json
- name: Sign SBOM
run: |
# Sign SBOM for integrity verification
cosign sign-blob sbom-complete.json \
--key cosign.key \
--output-signature sbom-complete.sig
- name: Upload SBOM artifacts
uses: actions/upload-artifact@v3
with:
name: sbom-artifacts
path: |
sbom.spdx.json
sbom-complete.json
sbom-complete.sig
# Dependency update automation
dependency-updates:
runs-on: ubuntu-latest
if: github.event_name == 'schedule'
steps:
- uses: actions/checkout@v3
- name: Check for updates
id: updates
run: |
# Use renovate in dry-run mode
npx renovate --dry-run --print-config > renovate-report.json
# Parse critical updates
python3 scripts/parse_renovate_report.py \
--input renovate-report.json \
--output critical-updates.json
- name: Create update PRs
run: |
# Create PRs for critical security updates
python3 scripts/create_security_prs.py \
--updates critical-updates.json \
--github-token ${{ secrets.GITHUB_TOKEN }}