Scanning for Maven Security Vulnerabilities using Github Actions
In this lesson, I'm going to setup how to scan for security vulnerabilities in Maven packages. They will happen on every push to all branches using Github Actions. I will be leveraging this library.
The assumption is you have a Maven project setup and some basic understanding of Maven. First step is to build your JAR:
You package should build without any issues. Next, you can try the security check:
This check may or may not return issues.
You should have access to Github Actions (as of writing its in private beta). You will need to create a new workflow file. You can run this command from your project's root directory:
The contents should start as this:
Commit that to your master branch. You may have to commit another file to run it. Verify it runs as expected.
Your Github Actions pipeline is as expected.
Running Security Check On Local
We will be running the security check with the output going into the file. We will grep the file for is vulnerable to . If it's true, then we will exit. This can all be done locally.
Create a folder called scripts and a subfolder called pipeline
Create an initial file.
The contents will be as follows:
You can run it with:
Next step is to update the workflow to run it.
I'm going to add a security vulnerability on purpose. Don't forget to remove it. Add this to your pom.xml:
I removed the cat security_checks_log.txt temporarily. I ran the script locally.
Since it does detect it, we need to confirm the workflow fails. This avoids shipping an insecure JAR. Push to your remote branch.
Don't forget to remove the insecure dependency.
And that's it! You're all setup to catch security vulnerabilities in your Maven dependencies. This is a simple helpful layer to avoid known issues. I have lots more lessons on Github Actions, check them out! Thanks for reading!