Files
kata-containers/.github/workflows/osv-scanner-scheduled.yaml
stevenhorsman 86b8afb761 workflows: refactor osv-scanner workflows
When I implemented the OSC scanner I followed the
guidance on the the action repo to use a single workflow for
both PR and main tests and rely on a re-usable workflow.
Since then I've realised some negatives of this approach:
- Unlike actions, dependabot needs custom logic to bump
workflow pins, so we are more likely to be out of date
- A lack of transparency/notification of when updates
are needed, due to bugs/ security fixes
- The dual workflow results in skipped jobs that
clutter the UI
- No ability to customise the pre-steps, or config

As such let's take the hit of managing two workflows,
in order to give us better flexibility.

Also add the `--call-analysis=none` option as we run govulncheck
separately, so don't want to have to compile and have a slow build

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
2026-06-09 13:38:17 +01:00

63 lines
1.9 KiB
YAML

# Periodic OSV-Scanner scanning for vulnerabilities in the whole repository.
# Runs on push to main, on schedule, and can be manually triggered.
#
# For more information, see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner (Scheduled)
on:
workflow_dispatch:
schedule:
- cron: '0 1 * * 0' # Weekly on Sunday at 1 AM UTC
push:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-osv-scanner-scheduled
cancel-in-progress: true
permissions: {}
jobs:
scan:
name: Scan whole repository
runs-on: ubuntu-24.04
permissions:
actions: read # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
steps:
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Run OSV-Scanner (display results)
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
with:
scan-args: |-
--config=osv-scanner.toml
--recursive
--call-analysis=none
./
- name: Run OSV-Scanner (generate SARIF)
if: always()
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
continue-on-error: true
with:
scan-args: |-
--config=osv-scanner.toml
--recursive
--call-analysis=none
--format=sarif
--output-file=results.sarif
./
- name: Upload SARIF results
if: always()
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: results.sarif
category: osv-scanner-scheduled