mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-01 14:38:33 +00:00
workflows: refactor osv-scanner workflows
When I implemented the OSC scanner I followed the guidance on the the action repo to use a single workflow for both PR and main tests and rely on a re-usable workflow. Since then I've realised some negatives of this approach: - Unlike actions, dependabot needs custom logic to bump workflow pins, so we are more likely to be out of date - A lack of transparency/notification of when updates are needed, due to bugs/ security fixes - The dual workflow results in skipped jobs that clutter the UI - No ability to customise the pre-steps, or config As such let's take the hit of managing two workflows, in order to give us better flexibility. Also add the `--call-analysis=none` option as we run govulncheck separately, so don't want to have to compile and have a slow build Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
This commit is contained in:
102
.github/workflows/osv-scanner-pr.yaml
vendored
Normal file
102
.github/workflows/osv-scanner-pr.yaml
vendored
Normal file
@@ -0,0 +1,102 @@
|
||||
# OSV-Scanner check for pull requests.
|
||||
# Scans both base and PR branches, then compares to detect new vulnerabilities.
|
||||
#
|
||||
# For more information, see https://google.github.io/osv-scanner/github-action/
|
||||
|
||||
name: OSV-Scanner (PR)
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}-osv-scanner-pr
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
scan:
|
||||
name: Scan PR changes
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
actions: read # Required to upload SARIF file to CodeQL
|
||||
contents: read # Read commit contents
|
||||
security-events: write # Require writing security events to upload SARIF file to security tab
|
||||
steps:
|
||||
- name: Checkout base branch
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.base.ref }}
|
||||
persist-credentials: false
|
||||
|
||||
- name: Scan base branch
|
||||
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
||||
continue-on-error: true
|
||||
with:
|
||||
scan-args: |-
|
||||
--config=osv-scanner.toml
|
||||
--recursive
|
||||
--call-analysis=none
|
||||
--format=json
|
||||
--output-file=base-results.json
|
||||
./
|
||||
|
||||
- name: Upload base results
|
||||
if: always()
|
||||
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
||||
with:
|
||||
name: base-results
|
||||
path: base-results.json
|
||||
if-no-files-found: warn
|
||||
retention-days: 1
|
||||
|
||||
- name: Checkout PR branch
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
persist-credentials: false
|
||||
|
||||
- name: Scan PR branch
|
||||
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
||||
continue-on-error: true
|
||||
with:
|
||||
scan-args: |-
|
||||
--config=osv-scanner.toml
|
||||
--recursive
|
||||
--call-analysis=none
|
||||
--format=json
|
||||
--output-file=pr-results.json
|
||||
./
|
||||
|
||||
- name: Download base results
|
||||
if: always()
|
||||
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
||||
with:
|
||||
name: base-results
|
||||
continue-on-error: true
|
||||
|
||||
- name: Create empty base results if missing
|
||||
if: always()
|
||||
run: |
|
||||
if [ ! -f base-results.json ]; then
|
||||
echo "Base results not found, creating empty file"
|
||||
echo '{"results": []}' > base-results.json
|
||||
fi
|
||||
|
||||
- name: Compare results
|
||||
uses: google/osv-scanner-action/osv-reporter-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
||||
with:
|
||||
scan-args: |-
|
||||
--output=results.sarif
|
||||
--old=base-results.json
|
||||
--new=pr-results.json
|
||||
--gh-annotations=true
|
||||
--fail-on-vuln=true
|
||||
|
||||
- name: Upload SARIF results
|
||||
if: always()
|
||||
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
category: osv-scanner-pr
|
||||
62
.github/workflows/osv-scanner-scheduled.yaml
vendored
Normal file
62
.github/workflows/osv-scanner-scheduled.yaml
vendored
Normal file
@@ -0,0 +1,62 @@
|
||||
# Periodic OSV-Scanner scanning for vulnerabilities in the whole repository.
|
||||
# Runs on push to main, on schedule, and can be manually triggered.
|
||||
#
|
||||
# For more information, see https://google.github.io/osv-scanner/github-action/
|
||||
|
||||
name: OSV-Scanner (Scheduled)
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
- cron: '0 1 * * 0' # Weekly on Sunday at 1 AM UTC
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}-osv-scanner-scheduled
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
scan:
|
||||
name: Scan whole repository
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
actions: read # Required to upload SARIF file to CodeQL
|
||||
contents: read # Read commit contents
|
||||
security-events: write # Require writing security events to upload SARIF file to security tab
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Run OSV-Scanner (display results)
|
||||
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
||||
with:
|
||||
scan-args: |-
|
||||
--config=osv-scanner.toml
|
||||
--recursive
|
||||
--call-analysis=none
|
||||
./
|
||||
|
||||
- name: Run OSV-Scanner (generate SARIF)
|
||||
if: always()
|
||||
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
||||
continue-on-error: true
|
||||
with:
|
||||
scan-args: |-
|
||||
--config=osv-scanner.toml
|
||||
--recursive
|
||||
--call-analysis=none
|
||||
--format=sarif
|
||||
--output-file=results.sarif
|
||||
./
|
||||
|
||||
- name: Upload SARIF results
|
||||
if: always()
|
||||
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
category: osv-scanner-scheduled
|
||||
49
.github/workflows/osv-scanner.yaml
vendored
49
.github/workflows/osv-scanner.yaml
vendored
@@ -1,49 +0,0 @@
|
||||
# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
|
||||
# in addition to a PR check which fails if new vulnerabilities are introduced.
|
||||
#
|
||||
# For more examples and options, including how to ignore specific vulnerabilities,
|
||||
# see https://google.github.io/osv-scanner/github-action/
|
||||
|
||||
name: OSV-Scanner
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
schedule:
|
||||
- cron: '0 1 * * 0'
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-osv-scanner
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
scan-scheduled:
|
||||
name: Scan of whole repo
|
||||
permissions:
|
||||
actions: read # # Required to upload SARIF file to CodeQL
|
||||
contents: read # Read commit contents
|
||||
security-events: write # Require writing security events to upload SARIF file to security tab
|
||||
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
|
||||
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3
|
||||
with:
|
||||
scan-args: |-
|
||||
-r
|
||||
./
|
||||
scan-pr:
|
||||
name: Scan of just PR code
|
||||
permissions:
|
||||
actions: read # Required to upload SARIF file to CodeQL
|
||||
contents: read # Read commit contents
|
||||
security-events: write # Require writing security events to upload SARIF file to security tab
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3
|
||||
with:
|
||||
# Example of specifying custom arguments
|
||||
scan-args: |-
|
||||
-r
|
||||
./
|
||||
Reference in New Issue
Block a user