docs: document github action caching (#6301)

jeremylong · Dec 15, 2023 · fcbf70f · fcbf70f
1 parent 15e6413
commit fcbf70f
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 0 deletions.
diff --git a/src/site/markdown/data/cache-action.md b/src/site/markdown/data/cache-action.md
@@ -0,0 +1,67 @@
+GitHub Action
+----------------
+
+The following is an example of how one could cache the data directory using GitHub Actions.
+Note that this configuration is setup for Maven but could be altered to support gradle or
+even the CLI.
+
+**WARNING** this configuration uses a single API key configured in secrets. If multiple actions
+use the same API Key you could hit the NVD rate limits.
+
+
+```yaml
+name: Vulnerability Scan
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  owasp-scan:
+    if: github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: 'adopt'
+          server-id: github
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+          cache: 'maven'
+
+      - name: Get Date
+        id: get-date
+        run: |
+          echo "datetime=$(/bin/date -u "+%Y%m%d%H")" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Restore cached Maven dependencies
+        uses: actions/cache/restore@v3
+        with:
+          path: ~/.m2/repository
+          # Using datetime in cache key as OWASP database may change, without the pom changing
+          key: ${{ runner.os }}-maven-${{ steps.get-date.outputs.datetime }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-${{ steps.get-date.outputs.datetime }}
+            ${{ runner.os }}-maven-
+            
+      - name: Build & scan
+        id: scan
+        run: |
+          mvn --no-transfer-progress clean package -DskipTests -DnvdApiKey=${{secrets.nvdApiKey}} -DskipITs -Dmax.cvss.score=8 \
+            org.owasp:dependency-check-maven:check -l ${{github.workspace}}/mvn-output.txt 
+        env:
+          MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME}}
+          MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD}}
+
+     - name: Cache Maven dependencies
+        uses: actions/cache/save@v3
+        if: always()
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ steps.get-date.outputs.datetime }}-${{ hashFiles('**/pom.xml') }}
+```
diff --git a/src/site/markdown/data/index.md b/src/site/markdown/data/index.md
@@ -22,6 +22,7 @@ have a few options:
 2. [Mirror the NVD](./mirrornvd.html) locally within your organization
 3. Build the H2 database on one node and [cache the H2 database](./cacheh2.md).
 4. Use a more robust [centralized database](./database.html) with a single update node
+5. In GitHub Actions utilize the cache action; [example here](./cache-action.md).
 
 ## CISA Known Exploited Vulnerabilities