SasanLabs · vanye-wadawasina-alida · Jan 30, 2025 · Jan 30, 2025 · Jan 30, 2025 · Jan 30, 2025
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,59 @@
+name: Dependency Security Scan
+
+on:
+  pull_request:
+    branches:
+      - main
+      - develop
+
+jobs:
+  dependency-check:
+    name: OWASP Dependency Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      ## 🔹 Java 8 (Spring Boot) Dependency Check
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '8'
+
+      - name: Run OWASP Dependency Check for Java (Spring Boot)
+        uses: dependency-check/Dependency-Check_Action@main
+        with:
+          project: "VulnerableApp Java Dependencies"
+          path: "./"
+          format: "HTML"
+          output: "dependency-check-report"
+          failOnCVSS: 7  # Fail build if vulnerabilities CVSS >= 7
+
+      - name: Upload Java Dependency Check Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: Java-Dependency-Check-Report
+          path: dependency-check-report
+
+      ## 🔹 ReactJS / JavaScript / TypeScript Dependency Check
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+
+      - name: Install Dependencies
+        run: npm install
+
+      - name: Run NPM Audit (Detect Vulnerabilities)
+        run: npm audit --audit-level=high || true  # Ensures it doesn't fail the pipeline
+
+      - name: Save NPM Audit Report
+        run: npm audit --json > npm-audit-report.json
+
+      - name: Upload NPM Audit Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: NPM-Audit-Report
+          path: npm-audit-report.json