mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-12 10:16:48 +00:00
When I implemented the OSC scanner I followed the guidance on the the action repo to use a single workflow for both PR and main tests and rely on a re-usable workflow. Since then I've realised some negatives of this approach: - Unlike actions, dependabot needs custom logic to bump workflow pins, so we are more likely to be out of date - A lack of transparency/notification of when updates are needed, due to bugs/ security fixes - The dual workflow results in skipped jobs that clutter the UI - No ability to customise the pre-steps, or config As such let's take the hit of managing two workflows, in order to give us better flexibility. Also add the `--call-analysis=none` option as we run govulncheck separately, so don't want to have to compile and have a slow build Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
63 lines
1.9 KiB
YAML
63 lines
1.9 KiB
YAML
# Periodic OSV-Scanner scanning for vulnerabilities in the whole repository.
|
|
# Runs on push to main, on schedule, and can be manually triggered.
|
|
#
|
|
# For more information, see https://google.github.io/osv-scanner/github-action/
|
|
|
|
name: OSV-Scanner (Scheduled)
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: '0 1 * * 0' # Weekly on Sunday at 1 AM UTC
|
|
push:
|
|
branches: [ "main" ]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}-osv-scanner-scheduled
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
scan:
|
|
name: Scan whole repository
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
actions: read # Required to upload SARIF file to CodeQL
|
|
contents: read # Read commit contents
|
|
security-events: write # Require writing security events to upload SARIF file to security tab
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Run OSV-Scanner (display results)
|
|
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
|
with:
|
|
scan-args: |-
|
|
--config=osv-scanner.toml
|
|
--recursive
|
|
--call-analysis=none
|
|
./
|
|
|
|
- name: Run OSV-Scanner (generate SARIF)
|
|
if: always()
|
|
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
|
continue-on-error: true
|
|
with:
|
|
scan-args: |-
|
|
--config=osv-scanner.toml
|
|
--recursive
|
|
--call-analysis=none
|
|
--format=sarif
|
|
--output-file=results.sarif
|
|
./
|
|
|
|
- name: Upload SARIF results
|
|
if: always()
|
|
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
with:
|
|
sarif_file: results.sarif
|
|
category: osv-scanner-scheduled
|