From 86b8afb7618e0bee4d238493b0a03e84ec85cdd0 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Mon, 8 Jun 2026 16:51:26 +0100 Subject: [PATCH] workflows: refactor osv-scanner workflows When I implemented the OSC scanner I followed the guidance on the the action repo to use a single workflow for both PR and main tests and rely on a re-usable workflow. Since then I've realised some negatives of this approach: - Unlike actions, dependabot needs custom logic to bump workflow pins, so we are more likely to be out of date - A lack of transparency/notification of when updates are needed, due to bugs/ security fixes - The dual workflow results in skipped jobs that clutter the UI - No ability to customise the pre-steps, or config As such let's take the hit of managing two workflows, in order to give us better flexibility. Also add the `--call-analysis=none` option as we run govulncheck separately, so don't want to have to compile and have a slow build Signed-off-by: stevenhorsman Generated-By: IBM Bob --- .github/workflows/osv-scanner-pr.yaml | 102 +++++++++++++++++++ .github/workflows/osv-scanner-scheduled.yaml | 62 +++++++++++ .github/workflows/osv-scanner.yaml | 49 --------- 3 files changed, 164 insertions(+), 49 deletions(-) create mode 100644 .github/workflows/osv-scanner-pr.yaml create mode 100644 .github/workflows/osv-scanner-scheduled.yaml delete mode 100644 .github/workflows/osv-scanner.yaml diff --git a/.github/workflows/osv-scanner-pr.yaml b/.github/workflows/osv-scanner-pr.yaml new file mode 100644 index 0000000000..e8bc4ff432 --- /dev/null +++ b/.github/workflows/osv-scanner-pr.yaml @@ -0,0 +1,102 @@ +# OSV-Scanner check for pull requests. +# Scans both base and PR branches, then compares to detect new vulnerabilities. +# +# For more information, see https://google.github.io/osv-scanner/github-action/ + +name: OSV-Scanner (PR) + +on: + pull_request: + branches: [ "main" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }}-osv-scanner-pr + cancel-in-progress: true + +permissions: {} + +jobs: + scan: + name: Scan PR changes + runs-on: ubuntu-24.04 + permissions: + actions: read # Required to upload SARIF file to CodeQL + contents: read # Read commit contents + security-events: write # Require writing security events to upload SARIF file to security tab + steps: + - name: Checkout base branch + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + ref: ${{ github.event.pull_request.base.ref }} + persist-credentials: false + + - name: Scan base branch + uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + continue-on-error: true + with: + scan-args: |- + --config=osv-scanner.toml + --recursive + --call-analysis=none + --format=json + --output-file=base-results.json + ./ + + - name: Upload base results + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: base-results + path: base-results.json + if-no-files-found: warn + retention-days: 1 + + - name: Checkout PR branch + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + + - name: Scan PR branch + uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + continue-on-error: true + with: + scan-args: |- + --config=osv-scanner.toml + --recursive + --call-analysis=none + --format=json + --output-file=pr-results.json + ./ + + - name: Download base results + if: always() + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + name: base-results + continue-on-error: true + + - name: Create empty base results if missing + if: always() + run: | + if [ ! -f base-results.json ]; then + echo "Base results not found, creating empty file" + echo '{"results": []}' > base-results.json + fi + + - name: Compare results + uses: google/osv-scanner-action/osv-reporter-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + with: + scan-args: |- + --output=results.sarif + --old=base-results.json + --new=pr-results.json + --gh-annotations=true + --fail-on-vuln=true + + - name: Upload SARIF results + if: always() + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + with: + sarif_file: results.sarif + category: osv-scanner-pr diff --git a/.github/workflows/osv-scanner-scheduled.yaml b/.github/workflows/osv-scanner-scheduled.yaml new file mode 100644 index 0000000000..572c2e55e7 --- /dev/null +++ b/.github/workflows/osv-scanner-scheduled.yaml @@ -0,0 +1,62 @@ +# Periodic OSV-Scanner scanning for vulnerabilities in the whole repository. +# Runs on push to main, on schedule, and can be manually triggered. +# +# For more information, see https://google.github.io/osv-scanner/github-action/ + +name: OSV-Scanner (Scheduled) + +on: + workflow_dispatch: + schedule: + - cron: '0 1 * * 0' # Weekly on Sunday at 1 AM UTC + push: + branches: [ "main" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-osv-scanner-scheduled + cancel-in-progress: true + +permissions: {} + +jobs: + scan: + name: Scan whole repository + runs-on: ubuntu-24.04 + permissions: + actions: read # Required to upload SARIF file to CodeQL + contents: read # Read commit contents + security-events: write # Require writing security events to upload SARIF file to security tab + steps: + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run OSV-Scanner (display results) + uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + with: + scan-args: |- + --config=osv-scanner.toml + --recursive + --call-analysis=none + ./ + + - name: Run OSV-Scanner (generate SARIF) + if: always() + uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + continue-on-error: true + with: + scan-args: |- + --config=osv-scanner.toml + --recursive + --call-analysis=none + --format=sarif + --output-file=results.sarif + ./ + + - name: Upload SARIF results + if: always() + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + with: + sarif_file: results.sarif + category: osv-scanner-scheduled diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml deleted file mode 100644 index 3158df9502..0000000000 --- a/.github/workflows/osv-scanner.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities, -# in addition to a PR check which fails if new vulnerabilities are introduced. -# -# For more examples and options, including how to ignore specific vulnerabilities, -# see https://google.github.io/osv-scanner/github-action/ - -name: OSV-Scanner - -on: - workflow_dispatch: - pull_request: - branches: [ "main" ] - schedule: - - cron: '0 1 * * 0' - push: - branches: [ "main" ] - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-osv-scanner - cancel-in-progress: true - -permissions: {} - -jobs: - scan-scheduled: - name: Scan of whole repo - permissions: - actions: read # # Required to upload SARIF file to CodeQL - contents: read # Read commit contents - security-events: write # Require writing security events to upload SARIF file to security tab - if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3 - with: - scan-args: |- - -r - ./ - scan-pr: - name: Scan of just PR code - permissions: - actions: read # Required to upload SARIF file to CodeQL - contents: read # Read commit contents - security-events: write # Require writing security events to upload SARIF file to security tab - if: ${{ github.event_name == 'pull_request' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3 - with: - # Example of specifying custom arguments - scan-args: |- - -r - ./