Skip to content
Latchkey

Adding OWASP Dependency-Check to GitHub Actions

Scan project dependencies against the NVD with OWASP Dependency-Check in CI.

OWASP Dependency-Check matches your libraries against the National Vulnerability Database. It is thorough but needs an NVD API key to avoid painfully slow database updates. The dependency-check action runs the scan and produces HTML/JSON/SARIF reports.

What you need

  • An NVD_API_KEY secret (request one free from the NVD).
  • The dependency-check/Dependency-Check_Action.
  • A path to scan and a report format.

The workflow

Scan the project and fail above a CVSS threshold.

.github/workflows/ci.yml
- uses: dependency-check/Dependency-Check_Action@main
  with:
    project: my-app
    path: .
    format: SARIF
    args: >-
      --nvdApiKey ${{ secrets.NVD_API_KEY }}
      --failOnCVSS 7

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: reports/dependency-check-report.sarif

Common gotchas

  • Without an NVD API key the first run can take 20+ minutes downloading the database.
  • Cache the NVD data directory between runs so updates are incremental.
  • failOnCVSS 7 blocks on high severity; lower it cautiously to avoid noise.

Key takeaways

  • Dependency-Check matches libraries against the NVD.
  • An NVD_API_KEY is essential to avoid 20-minute DB updates.
  • Cache the NVD data dir for incremental updates.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →