|
1 | | -# This file is adapted from https://github.com/google/osv-scanner |
2 | | - |
| 1 | +# runs vulnerability scans and add them to Github Security tab |
3 | 2 |
|
4 | 3 | name: OSV-Scanner Scan |
5 | 4 |
|
6 | 5 | on: |
| 6 | + workflow_dispatch: |
7 | 7 | schedule: |
8 | 8 | - cron: "12 6 * * 1" |
9 | 9 |
|
10 | | -# Restrict jobs in this workflow to have no permissions by default; permissions |
11 | | -# should be granted per job as needed using a dedicated `permissions` block |
12 | 10 | permissions: {} |
13 | 11 |
|
14 | 12 | jobs: |
15 | 13 | scan-scheduled: |
16 | 14 | permissions: |
17 | 15 | actions: read |
18 | | - contents: read # to fetch code (actions/checkout) |
| 16 | + contents: read |
19 | 17 | security-events: write # for uploading SARIF files |
20 | 18 | if: ${{ github.repository == 'metal3-io/ip-address-manager' }} |
21 | 19 | runs-on: ubuntu-latest |
22 | 20 | steps: |
23 | | - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
24 | | - - name: Calculate go version |
25 | | - id: vars |
26 | | - run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT |
27 | | - - name: Set up Go |
28 | | - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 |
29 | | - with: |
30 | | - go-version: ${{ steps.vars.outputs.go_version }} |
31 | | - - name: Install OSV Scanner |
32 | | - run: go install github.com/google/osv-scanner/cmd/osv-scanner@b13f37e1a1e4cb98556c1d34cd3256a876929be1 # v1.9.1 |
33 | | - - name: Run OSV Scanner |
34 | | - run: osv-scanner scan --format json --output results.json --recursive --skip-git ./ |
35 | | - continue-on-error: true |
36 | | - - name: "Run OSV Scanner Reporter" |
37 | | - uses: google/osv-scanner/actions/reporter@b13f37e1a1e4cb98556c1d34cd3256a876929be1 # v1.9.1 |
38 | | - with: |
39 | | - scan-args: |- |
40 | | - --output=results.sarif |
41 | | - --new=results.json |
42 | | - --gh-annotations=false |
43 | | - - name: Upload SARIF file |
44 | | - uses: github/codeql-action/upload-sarif@v2 |
45 | | - with: |
46 | | - sarif_file: results.sarif |
| 21 | + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
| 22 | + - name: Calculate go version |
| 23 | + id: vars |
| 24 | + run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT |
| 25 | + - name: Set up Go |
| 26 | + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 |
| 27 | + with: |
| 28 | + go-version: ${{ steps.vars.outputs.go_version }} |
| 29 | + - name: Install OSV Scanner |
| 30 | + run: go install |
| 31 | + github.com/google/osv-scanner/cmd/osv-scanner@b13f37e1a1e4cb98556c1d34cd3256a876929be1 # v1.9.1 |
| 32 | + - name: Run OSV Scanner |
| 33 | + run: | |
| 34 | + osv-scanner scan \ |
| 35 | + --format json --output results.json --recursive --skip-git \ |
| 36 | + --config=<( echo "GoVersionOverride = \"${{ steps.vars.outputs.go_version }}\"" ) \ |
| 37 | + ./ |
| 38 | + continue-on-error: true |
| 39 | + - name: "Run OSV Scanner Reporter" |
| 40 | + uses: google/osv-scanner/actions/reporter@b13f37e1a1e4cb98556c1d34cd3256a876929be1 # v1.9.1 |
| 41 | + with: |
| 42 | + scan-args: |- |
| 43 | + --output=results.sarif |
| 44 | + --new=results.json |
| 45 | + --gh-annotations=false |
| 46 | + --fail-on-vuln=false |
| 47 | + - name: Upload SARIF file |
| 48 | + uses: github/codeql-action/upload-sarif@v2 |
| 49 | + with: |
| 50 | + sarif_file: results.sarif |
0 commit comments