OSV-Scanner Scan #202
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # runs vulnerability scans and add them to Github Security tab | |
| name: OSV-Scanner Scan | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "12 6 * * *" | |
| permissions: {} | |
| jobs: | |
| scan-scheduled: | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write # for uploading SARIF files | |
| if: ${{ github.repository == 'metal3-io/ip-address-manager' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Calculate go version | |
| id: vars | |
| run: echo "go_version=$(make go-version)" >> "${GITHUB_OUTPUT}" | |
| - name: Set up Go | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: ${{ steps.vars.outputs.go_version }} | |
| # NOTE: this "go install" is not updated by Dependabot | |
| - name: Install OSV Scanner | |
| run: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@9267fda97136812f3217852fd380104487cf4a00 # v2.1.0 | |
| - name: Run OSV Scanner | |
| id: osv-scan | |
| run: | | |
| osv-scanner scan \ | |
| --format json --output results.json --recursive \ | |
| --config=<( echo "GoVersionOverride = \"${{ steps.vars.outputs.go_version }}\"" ) \ | |
| ./ | |
| echo "has_vulnerabilities=$(jq '.results | length > 0' results.json)" >> "${GITHUB_OUTPUT}" | |
| continue-on-error: true | |
| - name: "Run OSV Scanner Reporter" | |
| uses: google/osv-scanner/actions/reporter@9267fda97136812f3217852fd380104487cf4a00 # v2.1.0 | |
| with: | |
| scan-args: |- | |
| --output=results.sarif | |
| --new=results.json | |
| --gh-annotations=false | |
| continue-on-error: true | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 | |
| with: | |
| sarif_file: results.sarif | |
| # if the results.json has any results, then it means there is some vulnerability to be checked out | |
| - name: Slack Notification on Failure | |
| if: ${{ steps.osv-scan.outputs.has_vulnerabilities == 'true' }} | |
| uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3 | |
| env: | |
| SLACK_TITLE: "OSV-Scanner detected vulnerabilities in ${{ github.repository }}" | |
| SLACK_COLOR: "#FF0000" | |
| SLACK_MESSAGE: "OSV-Scanner detected vulnerabilities in ${{ github.repository }}" | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
| SLACK_CHANNEL: metal3-github-actions-notify | |
| SLACK_USERNAME: metal3-github-actions-notify |