-
Notifications
You must be signed in to change notification settings - Fork 3
55 lines (50 loc) · 1.81 KB
/
osv-scanner-pr.yml
File metadata and controls
55 lines (50 loc) · 1.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
---
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
# in addition to a PR check which fails if new vulnerabilities are introduced.
#
# For more examples and options, including how to ignore specific vulnerabilities,
# see https://google.github.io/osv-scanner/github-action/
name: "OSV Scanner - PR"
on:
pull_request:
branches: ["main"]
workflow_dispatch:
permissions: {}
jobs:
osv-scanner-pr:
permissions:
# Require writing security events to upload SARIF file to security tab
security-events: write
# Read commit contents
contents: read
# Actions read-only
actions: read
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9a498708959aeaef5ef730655706c5a1df1edbc2" # v2.3.8
with:
fail-on-vuln: false
check:
runs-on: ubuntu-latest
needs: osv-scanner-pr
steps:
- name: Check OSV scan results
shell: bash
run: |
set -euo pipefail
IFS=$'\n\t'
rc=0
echo "${NEW_RESULTS}" | jq -r '.results[].packages[].vulnerabilities[].id' | while read -r vid; do
if echo "${OLD_RESULTS}" | grep -q -L -e "\"${vid}\""; then
rc=$((rc+1))
>&2 echo "error: PR introduces new vulnerabilities ${vid} (see step 'scan > osv-scanner-pr > Run osv-scanner-reporter' for details)"
fi
done
if [ "${rc}" -gt 0 ]; then
exit "${rc}"
fi
env:
OLD_RESULTS: ${{ needs.osv-scanner-pr.outputs.old-results }}
NEW_RESULTS: ${{ needs.osv-scanner-pr.outputs.new-results }}