Make dependency scan skip when NVD key is absent

Author: DemchaAV

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ on:
       - main
       - develop
   pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 5 * * 1"
 
 jobs:
   build-test:
@@ -111,6 +114,7 @@ jobs:
   dependency-scan:
     name: Dependency Vulnerability Scan
     runs-on: ubuntu-latest
+    timeout-minutes: 25
     env:
       NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
 
@@ -128,20 +132,21 @@ jobs:
       - name: Make Maven Wrapper executable
         run: chmod +x mvnw
 
+      - name: Skip scan when NVD API key is not configured
+        if: ${{ env.NVD_API_KEY == '' }}
+        run: echo "::notice::Skipping OWASP Dependency-Check because NVD_API_KEY is not configured."
+
       - name: Run OWASP Dependency-Check
+        if: ${{ env.NVD_API_KEY != '' }}
         shell: bash
         run: |
-          EXTRA_ARGS=""
-          if [[ -n "${NVD_API_KEY}" ]]; then
-            EXTRA_ARGS="-DnvdApiKey=${NVD_API_KEY}"
-          fi
           ./mvnw -B -ntp org.owasp:dependency-check-maven:check \
             -Dformats=HTML,XML \
             -DprettyPrint=true \
-            ${EXTRA_ARGS}
+            -DnvdApiKey="${NVD_API_KEY}"
 
       - name: Upload dependency-check reports
-        if: always()
+        if: ${{ always() && env.NVD_API_KEY != '' }}
         uses: actions/upload-artifact@v4
         with:
           name: dependency-check-report