How to check vulnerabilities in the API

There are two dependency analysis tools used in the API: Trivy and Dependency-Check-Gradle.

These are automatically run on the main branch in CircleCI once every weekday, at 05:11. However, these can also be run locally or manually triggered on any branch in CircleCI.

Check locally

To run a Trivy scan locally, run:

script/trivy_scan

To run the Gradle dependency check locally, run:

./gradlew dependencyCheckAnalyze

Triggered check on CircleCI

To trigger a check on CircleCI:

Select your branch on the dropdown on the CircleCI dashboard.
Press the Trigger Pipeline button.
Expand the Add Parameters (optional) section.
Set the parameter type to boolean, the name to run-security-workflow-on-branch, and the value to true.
Press the Trigger Pipeline button.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

check-vulnerabilities.md

check-vulnerabilities.md

How to check vulnerabilities in the API

Check locally

Triggered check on CircleCI

Files

check-vulnerabilities.md

Latest commit

History

check-vulnerabilities.md

File metadata and controls

How to check vulnerabilities in the API

Check locally

Triggered check on CircleCI