Add OSV-Scanner-based security workflow#388
Open
vikrantpuppala wants to merge 1 commit into
Open
Conversation
Single workflow, single job, three triggers:
- pull_request to main: fails on CVSS >= 7 findings only
(HIGH/CRITICAL block merges; MED/LOW visible but non-blocking)
- cron weekly (Sunday 00:00 UTC): reports ALL findings via email
- workflow_dispatch: behaves like cron
Mirrors the JDBC driver's security workflow (databricks-jdbc#1460)
adapted for Node.js:
- Reads package-lock.json natively via OSV-Scanner --lockfile (no
separate SBOM tool needed)
- Reuses the existing ./.github/actions/setup-jfrog composite action
for parity with main.yml (the workflow functionally doesn't need
JFrog since OSV reads the lockfile directly, but keeping the
composite action preserves the established pattern)
- Suppressions in osv-scanner.toml ([[IgnoredVulns]] schema)
The workflow is not yet wired into branch protection. Day-one scan
against current main surfaces 22 HIGH / 15 MED / 5 LOW (42 total).
Many are in dev dependencies (mocha/nyc/eslint chains). The team can
either bump the offending deps or add documented [[IgnoredVulns]]
entries for dev-only findings that don't reach `dist/`.
Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/securityScan.yml— single workflow, single job, three triggers (PR / weekly cron / manual). PR runs fail on CVSS ≥ 7 only; weekly runs report all findings and email the team.osv-scanner.toml— empty suppressions file (populate iteratively as real false positives or dev-only findings surface)../.github/actions/setup-jfrogcomposite action — no duplicate OIDC-token logic.Mirrors the JDBC driver's workflow (databricks-jdbc#1460), adapted for Node.js: reads
package-lock.jsonnatively via OSV-Scanner (no separate SBOM tool needed).Day-one results
The workflow is not yet wired into branch protection, so its first PR-time runs are advisory. A dry-run against current
mainsurfaces:form-data,basic-ftp,flatted,minimatch,thrift,ws,serialize-javascript,cross-spawn,path-to-regexp,braces,picomatch,@75lb/deep-mergeImportant: OSV scans both runtime and devDependencies (it treats everything in
package-lock.jsonequally). Many of the day-one findings are dev-only (the mocha/nyc/eslint toolchain —flatted,serialize-javascript,nanoid,js-yaml, etc.) and don't reachdist/. The team has two options for those:npm updateaway).[[IgnoredVulns]]entry toosv-scanner.tomljustifying why the CVE is dev-only and doesn't affect shipped artifacts.A follow-up PR can either bump deps or curate the suppression list once we triage what's runtime vs. dev.
Test plan
package-lock.json— produces expected findingsworkflow_dispatchafter merge exercises the weekly pathSMTP_USERNAME,SMTP_PASSWORD,EMAIL_RECIPIENTS) wired in repo settings before the first scheduled runThis pull request was AI-assisted by Isaac.