-
Notifications
You must be signed in to change notification settings - Fork 33
136 lines (132 loc) · 5.81 KB
/
osv-scanner-reusable-pr.yml
File metadata and controls
136 lines (132 loc) · 5.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# OSV-Scanner PR scanning reusable workflow, can be used as a PR action to detect new vulnerabilities being introduced.
name: "OSV-Scanner PR Scanning"
permissions:
# Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
actions: read
contents: read
security-events: write
on:
workflow_call:
inputs:
scan-args:
description: "Custom osv-scanner arguments (See https://google.github.io/osv-scanner/usage/ for options, you cannot set --format or --output)"
type: string
default: |-
-r
./
results-file-name:
description: "File name of the result SARIF file"
type: string
default: results.sarif
upload-sarif:
description: "Whether to upload to Security > Code Scanning"
type: boolean
required: false
default: true
fail-on-vuln:
description: "Whether to fail the action on vulnerability found"
type: boolean
default: true
matrix-property:
description: "Optional string for matrix strategies (E.g. 'amd64-')"
type: string
default: ""
checkout-submodules:
description: "Whether to check out submodules or not. Passed on to `submodules` argument of `actions/checkout`"
type: boolean
default: false
jobs:
osv-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
fetch-depth: 0
submodules: ${{ inputs.checkout-submodules }}
# Do persist credentials, as we need it for the git checkout later
- name: "Checkout target branch"
run: |
git checkout $GITHUB_BASE_REF
git submodule update --recursive
- name: "Run scanner on existing code"
uses: google/osv-scanner-action/osv-scanner-action@ffff457756fc02fd3b933aabf3705406f57a2e19 # v2.3.1
continue-on-error: true
with:
scan-args: |-
--format=json
--output=${{ inputs.matrix-property }}old-results.json
${{ inputs.scan-args }}
- name: "Checkout current branch"
# Use -f in case any changes were made by osv-scanner (there should be no changes)
run: |
git checkout -f $GITHUB_SHA
git submodule update --recursive
- name: "Run scanner on new code"
uses: google/osv-scanner-action/osv-scanner-action@ffff457756fc02fd3b933aabf3705406f57a2e19 # v2.3.1
with:
scan-args: |-
--format=json
--output=${{ inputs.matrix-property }}new-results.json
${{ inputs.scan-args }}
continue-on-error: true
- name: "Run osv-scanner-reporter"
uses: google/osv-scanner-action/osv-reporter-action@ffff457756fc02fd3b933aabf3705406f57a2e19 # v2.3.1
with:
scan-args: |-
--output=${{ inputs.matrix-property }}${{ inputs.results-file-name }}
--old=${{ inputs.matrix-property }}old-results.json
--new=${{ inputs.matrix-property }}new-results.json
--gh-annotations=true
--fail-on-vuln=${{ inputs.fail-on-vuln }}
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
if: ${{ !cancelled() }}
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: OSV Scanner SARIF file
path: ${{ inputs.matrix-property }}${{ inputs.results-file-name }}
retention-days: 5
- name: "Upload old scan json results"
if: ${{ !cancelled() }}
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: ${{ inputs.matrix-property }}old-json-results
path: ${{ inputs.matrix-property }}old-results.json
retention-days: 5
- name: "Upload new scan json results"
if: ${{ !cancelled() }}
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: ${{ inputs.matrix-property }}new-json-results
path: ${{ inputs.matrix-property }}new-results.json
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
id: "upload_artifact"
if: ${{ !cancelled() && inputs.upload-sarif == true }}
uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
with:
sarif_file: ${{ inputs.matrix-property }}${{ inputs.results-file-name }}
- name: "Print Code Scanning PR URL"
if: "${{ !cancelled() && inputs.upload-sarif == true }}"
run: |
echo "View the OSV-Scanner results for this PR in the 'Security' tab, using the following link:"
echo "${{ github.server_url }}/${{ github.repository }}/security/code-scanning?query=pr%3A${{ github.event.pull_request.number }}"
- name: "Error troubleshooter"
if: ${{ always() && steps.upload_artifact.outcome == 'failure' }}
run: |
echo "::error::Artifact upload failed. This is most likely caused by a error during scanning earlier in the workflow."