Skip to content

Commit

Permalink
Switch to reusable osv-scanner workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@np5
np5 committed Mar 6, 2024
1 parent 4cd2ff1 commit 957347a
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 113 deletions.
78 changes: 5 additions & 73 deletions .github/workflows/osv-scanner-pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,76 +16,8 @@ permissions:

jobs:
scan-pr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# Do persist credentials, as we need it for the git checkout later
- name: "Checkout target branch"
run: git checkout $GITHUB_BASE_REF
- name: "Rename constraints.txt file"
run: cp ./constraints.txt /tmp/requirements.txt
- name: "Run scanner on existing code"
uses: google/osv-scanner/actions/scanner@main
continue-on-error: true
with:
scan-args: |-
--format=json
--output=old-results.json
-r
--skip-git
--lock-file=./package-lock.json
--lock-file=/tmp/requirements.txt
- name: "Checkout current branch"
run: git checkout $GITHUB_SHA
- name: "Rename constraints.txt file"
run: cp ./constraints.txt /tmp/requirements.txt
- name: "Run scanner on new code"
uses: google/osv-scanner/actions/scanner@main
with:
scan-args: |-
--format=json
--output=old-results.json
-r
--skip-git
--lock-file=./package-lock.json
--lock-file=/tmp/requirements.txt
continue-on-error: true
- name: "Run osv-scanner-reporter"
uses: google/osv-scanner/actions/reporter@main
with:
scan-args: |-
--output=results.sarif
--old=old-results.json
--new=new-results.json
--gh-annotations=true
--fail-on-vuln=true
# Upload the results as artifacts (optional).
- name: "Upload artifact"
if: "!cancelled()"
uses: actions/upload-artifact@v4
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: "Upload old scan json results"
if: "!cancelled()"
uses: actions/upload-artifact@v4
with:
name: old-json-results
path: old-results.json
retention-days: 5
- name: "Upload new scan json results"
if: "!cancelled()"
uses: actions/upload-artifact@v4
with:
name: new-json-results
path: new-results.json
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: "!cancelled()"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
uses: "google/osv-scanner/.github/workflows/[email protected]"
with:
scan-args: |-
--lockfile ./package-lock.json
--lockfile requirements.txt:./constraints.txt
45 changes: 5 additions & 40 deletions .github/workflows/osv-scanner.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,43 +17,8 @@ permissions:

jobs:
scan-scheduled:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Rename constraints.txt file"
run: cp ./constraints.txt /tmp/requirements.txt
- name: "Run scanner"
uses: google/osv-scanner/actions/scanner@main
continue-on-error: true
with:
scan-args: |-
--format=json
--output=results.json
-r
--skip-git
--lock-file=./package-lock.json
--lock-file=/tmp/requirements.txt
- name: "Run osv-scanner-reporter"
uses: google/osv-scanner/actions/reporter@main
with:
scan-args: |-
--output=results.sarif
--new=results.json
--gh-annotations=false
--fail-on-vuln=true
# Upload the results as artifacts.
- name: "Upload artifact"
if: "!cancelled()"
uses: actions/upload-artifact@v4
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: "!cancelled()"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
uses: "google/osv-scanner/.github/workflows/[email protected]"
with:
scan-args: |-
--lockfile ./package-lock.json
--lockfile requirements.txt:./constraints.txt

0 comments on commit 957347a

Please sign in to comment.