From f363ac8ba306f17215baa099a0b3cece74396a0b Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Wed, 18 Mar 2026 13:52:27 -0700 Subject: [PATCH] add OSS Index authentication to dependency-check Sonatype OSS Index now requires authentication. Without credentials, dependency-check fails with exit code 14 due to rate limiting. --- .github/workflows/daily-scan.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml index 1511d98d..77f9668b 100644 --- a/.github/workflows/daily-scan.yml +++ b/.github/workflows/daily-scan.yml @@ -54,11 +54,13 @@ jobs: role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }} aws-region: ${{ env.AWS_DEFAULT_REGION }} - - name: Get NVD API key for dependency scan + - name: Get secrets for dependency scan uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10 id: nvd_api_key with: - secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }} + secret-ids: | + ${{ secrets.NVD_API_KEY_SECRET_ARN }} + OSS_INDEX, ${{ secrets.OSS_INDEX_SECRET_ARN }} parse-json-secrets: true # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation @@ -72,7 +74,7 @@ jobs: curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc gpg --verify dependency-check.zip.asc unzip dependency-check.zip - ./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s "." + ./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }} --ossIndexPassword ${{ env.OSS_INDEX_PASSWORD }} -s "." - name: Print dependency scan results on failure if: ${{ steps.dep_scan.outcome != 'success' }}