Adding OWASP Dependency-Check to GitHub Actions
Scan project dependencies against the NVD with OWASP Dependency-Check in CI.
OWASP Dependency-Check matches your libraries against the National Vulnerability Database. It is thorough but needs an NVD API key to avoid painfully slow database updates. The dependency-check action runs the scan and produces HTML/JSON/SARIF reports.
What you need
- An NVD_API_KEY secret (request one free from the NVD).
- The dependency-check/Dependency-Check_Action.
- A path to scan and a report format.
The workflow
Scan the project and fail above a CVSS threshold.
.github/workflows/ci.yml
- uses: dependency-check/Dependency-Check_Action@main
with:
project: my-app
path: .
format: SARIF
args: >-
--nvdApiKey ${{ secrets.NVD_API_KEY }}
--failOnCVSS 7
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: reports/dependency-check-report.sarifCommon gotchas
- Without an NVD API key the first run can take 20+ minutes downloading the database.
- Cache the NVD data directory between runs so updates are incremental.
- failOnCVSS 7 blocks on high severity; lower it cautiously to avoid noise.
Key takeaways
- Dependency-Check matches libraries against the NVD.
- An NVD_API_KEY is essential to avoid 20-minute DB updates.
- Cache the NVD data dir for incremental updates.
Related guides
Adding Snyk to GitHub ActionsScan dependencies for vulnerabilities with Snyk in GitHub Actions, set a severity threshold, and upload SARIF…
Adding OSV-Scanner to GitHub ActionsScan lockfiles against the OSV database with Google OSV-Scanner in GitHub Actions using the reusable workflow…
Running pip-audit in GitHub ActionsAudit Python dependencies for vulnerabilities with pip-audit in GitHub Actions, scan requirements or the envi…