Files
kata-containers/.github/workflows/osv-scanner-pr.yaml
stevenhorsman 86b8afb761 workflows: refactor osv-scanner workflows
When I implemented the OSC scanner I followed the
guidance on the the action repo to use a single workflow for
both PR and main tests and rely on a re-usable workflow.
Since then I've realised some negatives of this approach:
- Unlike actions, dependabot needs custom logic to bump
workflow pins, so we are more likely to be out of date
- A lack of transparency/notification of when updates
are needed, due to bugs/ security fixes
- The dual workflow results in skipped jobs that
clutter the UI
- No ability to customise the pre-steps, or config

As such let's take the hit of managing two workflows,
in order to give us better flexibility.

Also add the `--call-analysis=none` option as we run govulncheck
separately, so don't want to have to compile and have a slow build

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
2026-06-09 13:38:17 +01:00

103 lines
3.2 KiB
YAML

# OSV-Scanner check for pull requests.
# Scans both base and PR branches, then compares to detect new vulnerabilities.
#
# For more information, see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner (PR)
on:
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}-osv-scanner-pr
cancel-in-progress: true
permissions: {}
jobs:
scan:
name: Scan PR changes
runs-on: ubuntu-24.04
permissions:
actions: read # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
steps:
- name: Checkout base branch
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
ref: ${{ github.event.pull_request.base.ref }}
persist-credentials: false
- name: Scan base branch
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
continue-on-error: true
with:
scan-args: |-
--config=osv-scanner.toml
--recursive
--call-analysis=none
--format=json
--output-file=base-results.json
./
- name: Upload base results
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: base-results
path: base-results.json
if-no-files-found: warn
retention-days: 1
- name: Checkout PR branch
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Scan PR branch
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
continue-on-error: true
with:
scan-args: |-
--config=osv-scanner.toml
--recursive
--call-analysis=none
--format=json
--output-file=pr-results.json
./
- name: Download base results
if: always()
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: base-results
continue-on-error: true
- name: Create empty base results if missing
if: always()
run: |
if [ ! -f base-results.json ]; then
echo "Base results not found, creating empty file"
echo '{"results": []}' > base-results.json
fi
- name: Compare results
uses: google/osv-scanner-action/osv-reporter-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
with:
scan-args: |-
--output=results.sarif
--old=base-results.json
--new=pr-results.json
--gh-annotations=true
--fail-on-vuln=true
- name: Upload SARIF results
if: always()
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: results.sarif
category: osv-scanner-pr