mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-11 00:52:00 +00:00
When I implemented the OSC scanner I followed the guidance on the the action repo to use a single workflow for both PR and main tests and rely on a re-usable workflow. Since then I've realised some negatives of this approach: - Unlike actions, dependabot needs custom logic to bump workflow pins, so we are more likely to be out of date - A lack of transparency/notification of when updates are needed, due to bugs/ security fixes - The dual workflow results in skipped jobs that clutter the UI - No ability to customise the pre-steps, or config As such let's take the hit of managing two workflows, in order to give us better flexibility. Also add the `--call-analysis=none` option as we run govulncheck separately, so don't want to have to compile and have a slow build Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
103 lines
3.2 KiB
YAML
103 lines
3.2 KiB
YAML
# OSV-Scanner check for pull requests.
|
|
# Scans both base and PR branches, then compares to detect new vulnerabilities.
|
|
#
|
|
# For more information, see https://google.github.io/osv-scanner/github-action/
|
|
|
|
name: OSV-Scanner (PR)
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [ "main" ]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}-osv-scanner-pr
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
scan:
|
|
name: Scan PR changes
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
actions: read # Required to upload SARIF file to CodeQL
|
|
contents: read # Read commit contents
|
|
security-events: write # Require writing security events to upload SARIF file to security tab
|
|
steps:
|
|
- name: Checkout base branch
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
ref: ${{ github.event.pull_request.base.ref }}
|
|
persist-credentials: false
|
|
|
|
- name: Scan base branch
|
|
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
|
continue-on-error: true
|
|
with:
|
|
scan-args: |-
|
|
--config=osv-scanner.toml
|
|
--recursive
|
|
--call-analysis=none
|
|
--format=json
|
|
--output-file=base-results.json
|
|
./
|
|
|
|
- name: Upload base results
|
|
if: always()
|
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
|
with:
|
|
name: base-results
|
|
path: base-results.json
|
|
if-no-files-found: warn
|
|
retention-days: 1
|
|
|
|
- name: Checkout PR branch
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
persist-credentials: false
|
|
|
|
- name: Scan PR branch
|
|
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
|
continue-on-error: true
|
|
with:
|
|
scan-args: |-
|
|
--config=osv-scanner.toml
|
|
--recursive
|
|
--call-analysis=none
|
|
--format=json
|
|
--output-file=pr-results.json
|
|
./
|
|
|
|
- name: Download base results
|
|
if: always()
|
|
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
|
with:
|
|
name: base-results
|
|
continue-on-error: true
|
|
|
|
- name: Create empty base results if missing
|
|
if: always()
|
|
run: |
|
|
if [ ! -f base-results.json ]; then
|
|
echo "Base results not found, creating empty file"
|
|
echo '{"results": []}' > base-results.json
|
|
fi
|
|
|
|
- name: Compare results
|
|
uses: google/osv-scanner-action/osv-reporter-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
|
|
with:
|
|
scan-args: |-
|
|
--output=results.sarif
|
|
--old=base-results.json
|
|
--new=pr-results.json
|
|
--gh-annotations=true
|
|
--fail-on-vuln=true
|
|
|
|
- name: Upload SARIF results
|
|
if: always()
|
|
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
with:
|
|
sarif_file: results.sarif
|
|
category: osv-scanner-pr
|