Merge pull request #13189 from stevenhorsman/osv-scanner-refactor

workflows: refactor osv-scanner workflows
This commit is contained in:
Hyounggyu Choi
2026-06-12 12:04:12 +02:00
committed by GitHub
3 changed files with 164 additions and 49 deletions

102
.github/workflows/osv-scanner-pr.yaml vendored Normal file
View File

@@ -0,0 +1,102 @@
# OSV-Scanner check for pull requests.
# Scans both base and PR branches, then compares to detect new vulnerabilities.
#
# For more information, see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner (PR)
on:
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}-osv-scanner-pr
cancel-in-progress: true
permissions: {}
jobs:
scan:
name: Scan PR changes
runs-on: ubuntu-24.04
permissions:
actions: read # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
steps:
- name: Checkout base branch
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
ref: ${{ github.event.pull_request.base.ref }}
persist-credentials: false
- name: Scan base branch
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
continue-on-error: true
with:
scan-args: |-
--config=osv-scanner.toml
--recursive
--call-analysis=none
--format=json
--output-file=base-results.json
./
- name: Upload base results
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: base-results
path: base-results.json
if-no-files-found: warn
retention-days: 1
- name: Checkout PR branch
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Scan PR branch
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
continue-on-error: true
with:
scan-args: |-
--config=osv-scanner.toml
--recursive
--call-analysis=none
--format=json
--output-file=pr-results.json
./
- name: Download base results
if: always()
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: base-results
continue-on-error: true
- name: Create empty base results if missing
if: always()
run: |
if [ ! -f base-results.json ]; then
echo "Base results not found, creating empty file"
echo '{"results": []}' > base-results.json
fi
- name: Compare results
uses: google/osv-scanner-action/osv-reporter-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
with:
scan-args: |-
--output=results.sarif
--old=base-results.json
--new=pr-results.json
--gh-annotations=true
--fail-on-vuln=true
- name: Upload SARIF results
if: always()
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: results.sarif
category: osv-scanner-pr

View File

@@ -0,0 +1,62 @@
# Periodic OSV-Scanner scanning for vulnerabilities in the whole repository.
# Runs on push to main, on schedule, and can be manually triggered.
#
# For more information, see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner (Scheduled)
on:
workflow_dispatch:
schedule:
- cron: '0 1 * * 0' # Weekly on Sunday at 1 AM UTC
push:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-osv-scanner-scheduled
cancel-in-progress: true
permissions: {}
jobs:
scan:
name: Scan whole repository
runs-on: ubuntu-24.04
permissions:
actions: read # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
steps:
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Run OSV-Scanner (display results)
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
with:
scan-args: |-
--config=osv-scanner.toml
--recursive
--call-analysis=none
./
- name: Run OSV-Scanner (generate SARIF)
if: always()
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
continue-on-error: true
with:
scan-args: |-
--config=osv-scanner.toml
--recursive
--call-analysis=none
--format=sarif
--output-file=results.sarif
./
- name: Upload SARIF results
if: always()
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: results.sarif
category: osv-scanner-scheduled

View File

@@ -1,49 +0,0 @@
# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
# in addition to a PR check which fails if new vulnerabilities are introduced.
#
# For more examples and options, including how to ignore specific vulnerabilities,
# see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner
on:
workflow_dispatch:
pull_request:
branches: [ "main" ]
schedule:
- cron: '0 1 * * 0'
push:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-osv-scanner
cancel-in-progress: true
permissions: {}
jobs:
scan-scheduled:
name: Scan of whole repo
permissions:
actions: read # # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3
with:
scan-args: |-
-r
./
scan-pr:
name: Scan of just PR code
permissions:
actions: read # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
if: ${{ github.event_name == 'pull_request' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3
with:
# Example of specifying custom arguments
scan-args: |-
-r
./