-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build Github worfklow with OSV scanner #1107
Comments
@bossenti could you review it ? i just gave it a try, am i on the right track? |
Hi @Kshitiz-Mhto, thanks for working on this topic. I'll assign you to the issue to make it transparent. We've not yet thought about how to handle the findings of the scanner, but I think your idea of a VULNERABILITY.md sounds good to me. However, it should not directly get committed but a PR would be fine to raise the proper awareness |
PS: It's more convenient for us to review code snippets if you just open an WIP PR. |
i searched on the github market place i got only one result ie there is no any official github action present in marketplace yet. as from official github repo, it is still experimental OR, |
Demo using docker image |
Alright, then let's go with the docker image 🙂 |
* osv-scanner workflow is added * added reviewer * pull and specify the docker image * undo the changes in pom.xml * modified worflow not to include error in log file
* osv-scanner workflow is added * added reviewer * pull and specify the docker image * undo the changes in pom.xml * modified worflow not to include error in log file
Body
Build a GitHub wofkflow that applies Google's OSV scanner on a monthly(?) schedule on our repository.
This tool scans dependencies for vulnerabilities.
Open for discussion is how the output of the scan can be reported or displayed.
Mentoring
As this ticket is marked as good first issue: one of @dominikriemer, @tenthe, or @bossenti are happy to provide help for getting started, just tag (one of) them if you want to start working on this issue and need some help.
StreamPipes Committer
I acknowledge that I am a maintainer/committer of the Apache StreamPipes project.
The text was updated successfully, but these errors were encountered: