UserStyles/.github/workflows/osv-scanner.yml at 64594ae7480db6e4ce920e63d52a3638ec83b30f · Nick2bad4u/UserStyles · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# This GitHub Actions workflow is designed to periodically scan for vulnerabilities using OSV-Scanner.
# It performs scans on pull requests, merge groups, scheduled events, and pushes to the main branch.
#
# Workflow Name: OSV-Scanner
#
# Triggers:
# - pull_request: Triggers when a pull request is made to the main branch.
# - merge_group: Triggers when a merge group is created for the main branch.
# - schedule: Triggers based on a cron schedule (every Monday at 12:39 PM).
# - push: Triggers when code is pushed to the main branch.
#
# Permissions:
# - security-events: write - Required to upload SARIF files to the security tab.
# - contents: read - Required to read commit contents.
# - actions: read - Required to read actions.
#
# Jobs:
# - scan-scheduled: Runs on push or scheduled events. Uses a reusable workflow from the OSV-Scanner action.
# - scan-pr: Runs on pull request or merge group events. Uses a reusable workflow from the OSV-Scanner action.
#
# Both jobs use custom arguments for the OSV-Scanner:
# - -r: Recursively scan directories.
# - ./: Scan the current directory.
# - --fail-on-vuln=false: Do not fail the workflow if vulnerabilities are found.

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
# in addition to a PR check which fails if new vulnerabilities are introduced.
#
# For more examples and options, including how to ignore specific vulnerabilities,
# see https://google.github.io/osv-scanner/github-action/

name: OSV-Scanner

on:
  pull_request:
    branches: ["main"]
  merge_group:
    branches: ["main"]
  schedule:
    - cron: "39 12 * * 1"
  push:
    branches: ["main"]

permissions:
  # Require writing security events to upload SARIF file to security tab
  security-events: write
  # Read commit contents
  contents: read
  actions: read

concurrency:
  group: osv-scanner-${{ github.ref }}
  cancel-in-progress: false

jobs:
  scan-scheduled:
    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
    with:
      scan-args: ./package-lock.json --fail-on-vuln=false
  scan-pr:
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
    with:
      scan-args: ./package-lock.json --fail-on-vuln=false