Build Github worfklow with OSV scanner #1107
Comments
bossenti
added
enhancement
|
@bossenti could you review it ? i just gave it a try, am i on the right track? |
|
output:
further, we could auto-commit the scan-result in maybe VULNERABILITY.md file throught gh-action also. |
|
Hi @Kshitiz-Mhto, thanks for working on this topic. I'll assign you to the issue to make it transparent. We've not yet thought about how to handle the findings of the scanner, but I think your idea of a VULNERABILITY.md sounds good to me. However, it should not directly get committed but a PR would be fine to raise the proper awareness |
|
PS: It's more convenient for us to review code snippets if you just open an WIP PR. |
|
i searched on the github market place i got only one result ie there is no any official github action present in marketplace yet. as from official github repo, it is still experimental OR, |
|
Demo using docker image |
|
Alright, then let's go with the docker image 🙂 |
* osv-scanner workflow is added * added reviewer * pull and specify the docker image * undo the changes in pom.xml * modified worflow not to include error in log file
* osv-scanner workflow is added * added reviewer * pull and specify the docker image * undo the changes in pom.xml * modified worflow not to include error in log file
Body
Build a GitHub wofkflow that applies Google's OSV scanner on a monthly(?) schedule on our repository.
This tool scans dependencies for vulnerabilities.
Open for discussion is how the output of the scan can be reported or displayed.
Mentoring
As this ticket is marked as good first issue: one of @dominikriemer, @tenthe, or @bossenti are happy to provide help for getting started, just tag (one of) them if you want to start working on this issue and need some help.
StreamPipes Committer
I acknowledge that I am a maintainer/committer of the Apache StreamPipes project.
The text was updated successfully, but these errors were encountered: