Create osv-scanner.yml #840
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
There was a problem hiding this comment.
Thanks for the PR!
Generally looks good, though I have one question, is this duplicate with DevSkim action?
.github/workflows/osv-scanner.yml
Outdated
| merge_group: | ||
| branches: [ "main" ] |
There was a problem hiding this comment.
Currently, Topgrade does not employ merge queue, so:
| merge_group: | |
| branches: [ "main" ] |
.github/workflows/osv-scanner.yml
Outdated
| schedule: | ||
| - cron: '17 2 * * 2' |
There was a problem hiding this comment.
I think it would be best to run this on every PR so that we can find the vulnerability as fast as possible
.github/workflows/osv-scanner.yml
Outdated
| --skip-git | ||
| ./ | ||
| scan-pr: | ||
| if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} |
There was a problem hiding this comment.
This can be removed if we only run it on every PR
| if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} |
.github/workflows/osv-scanner.yml
Outdated
| scan-scheduled: | ||
| if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} | ||
| uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 | ||
| with: | ||
| # Example of specifying custom arguments | ||
| scan-args: |- | ||
| -r | ||
| --skip-git | ||
| ./ |
There was a problem hiding this comment.
| scan-scheduled: | |
| if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} | |
| uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 | |
| with: | |
| # Example of specifying custom arguments | |
| scan-args: |- | |
| -r | |
| --skip-git | |
| ./ |
Would be best to run on every PR, so no need to run scheduled scan
.github/workflows/osv-scanner.yml
Outdated
| ./ | ||
| scan-pr: | ||
| if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} | ||
| uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 |
There was a problem hiding this comment.
Any reason we are not specifying a version number here?
What does this PR do
Adding OSV-scanner to our workflows.
cf. https://google.github.io/osv-scanner/github-action/#github-action
Standards checklist
CONTRIBUTING.mdFor new steps
--dry-runoption works with this step--yesoption works with this step if it is supported bythe underlying command
If you developed a feature or a bug fix for someone else, and you do not have the
means to test it, please tag this person here.