🌱 Fix OSV-Scanner #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # runs vulnerability scans and add them to Github Security tab | |
| name: OSV-Scanner Scheduled | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "12 6 * * *" | |
| pull_request: | |
| paths: | |
| - ".github/workflows/osv-scanner-scheduled.yml" | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write # for uploading SARIF files | |
| jobs: | |
| set-go-version: | |
| name: Set up Go version | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Calculate go version | |
| id: vars | |
| run: echo "go_version=$(make go-version)" >> "${GITHUB_OUTPUT}" | |
| - name: Set up Go | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: ${{ steps.vars.outputs.go_version }} | |
| - name: Create config.toml | |
| run: echo "GoVersionOverride = \"${{ steps.vars.outputs.go_version }}\"" > config.toml | |
| - name: Upload config.toml | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: calculated-go-version | |
| path: ./config.toml | |
| scan-scheduled: | |
| name: Run OSV Scanner | |
| needs: set-go-version | |
| if: ${{ github.repository == 'metal3-io/ip-address-manager' }} | |
| uses: "google/osv-scanner-action/.github/workflows/[email protected]" | |
| with: | |
| download-artifact: calculated-go-version | |
| scan-args: |- | |
| --config=./config.toml | |
| --fail-on-vuln=false | |
| check-and-notify: | |
| name: Check vulnerabilities and notify | |
| needs: [set-go-version, scan-scheduled] | |
| runs-on: ubuntu-latest | |
| if: ${{ always() && github.repository == 'metal3-io/ip-address-manager' }} | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: SARIF file | |
| - name: Check for vulnerabilities in SARIF | |
| id: check | |
| run: | | |
| HAS_VULN=$(jq '[.runs[].results[]] | length > 0' results.sarif) | |
| echo "has_vulnerabilities=$HAS_VULN" >> $GITHUB_OUTPUT | |
| - name: Slack Notification on Vulnerability or Failure | |
| if: ${{ steps.check.outputs.has_vulnerabilities == 'true' || contains(needs.*.result, 'failure') }} | |
| uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3 | |
| env: | |
| SLACK_TITLE: "OSV-Scanner failed or detected vulnerabilities in ${{ github.repository }}" | |
| SLACK_COLOR: "#FF0000" | |
| SLACK_MESSAGE: "OSV-Scanner failed or detected vulnerabilities in ${{ github.repository }}" | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
| SLACK_CHANNEL: metal3-github-actions-notify | |
| SLACK_USERNAME: metal3-github-actions-notify |