Add OSV-Scanner GitHub Actions workflow for vulnerability scanning

This pull request introduces a new GitHub Actions workflow to integrate OSV-Scanner for security scanning. The workflow is configured to run on pull requests, scheduled events, and pushes to the master branch. Key changes: .github/workflows/osv-scanner.yml: Added a new workflow file to configure OSV-Scanner for security scanning on pull requests, scheduled events, and pushes to the master branch. The workflow includes permissions setup and job definitions for both scheduled scans and pull request scans. Signed-off-by: Ruslan Dautov <[email protected]>
lf-edge · Jan 31, 2025 · 495262a · 495262a
1 parent 3f8d888
commit 495262a
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (c) 2025, Zededa, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: OSV-Scanner
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches: ["master"]
+  merge_group:
+    types: [checks_requested]
+  schedule:
+    - cron: "12 12 * * 1"
+  push:
+    branches: ["master"]
+
+permissions:
+  # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
+  actions: read
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Read commit contents
+  contents: read
+
+jobs:
+  scan-scheduled:
+    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e994fd8ab13fe1394942045f5945cd39c6c2d68e"  # v1.9.2
+
+  scan-pr:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e994fd8ab13fe1394942045f5945cd39c6c2d68e"  # v1.9.2