# the benefit of this over dependabot is that this also analyzes transitive dependencies # while dependabot (at least currently) only analyzes top-level dependencies name: OWASP dependency check (daily) on: schedule: # daily at 1:30 UTC - cron: "30 1 * * *" workflow_dispatch: jobs: analyze: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Set up Java 11 uses: actions/setup-java@v3 with: distribution: temurin java-version: 11 - uses: gradle/gradle-build-action@v2 with: arguments: ":javaagent:dependencyCheckAnalyze" - name: Upload report if: always() uses: actions/upload-artifact@v3 with: path: javaagent/build/reports