Build GitHub actions for running osv-scanner #57
Comments
andrewpollock
changed the title
|
@oliverchang Now since osv-scanner is out, I was thinking of building a github action and found this issue. Adding a proposal for building Github action here for your feedback
Some plumbing code need to be written to integrate with Github PR scanning workflow. Update: Mistook Git commit scan as checking for changes in the PR in target repo. Probably need to refactor a bit to scan lockfile changes only in the PR. This will be useful in incremental scans. |
|
(Moving issue to the right repo) Thanks for proposing this @abhisek! We're still trying to figure out all the necessary requirements for this action (and don't want to rush it), as we want this to go beyond the scope of just scanning (but also include tracking/remediation). We're happy to accept contributions to make the necessary plumbing/PR changes for these pieces! |
|
One of the key refactoring change that I would propose is to introduce the following inside type PackageDetailSource struct {
sourceFile, sourceLine string
}
Subsequently correlate the |
|
@abhisek that sounds like a pretty huge complexity jump since you'd have to implement custom parsers for at least JSON, YAML, TOML, and XML. I'd recommend checking out |
|
Hey, is this still the case? Has anybody implemented the gh-action yet? |
|
We have an action in Kuma that does that - https://github.com/kumahq/kuma/blob/master/.github/workflows/update-insecure-dependencies.yaml#L42 |
|
Thanks @slonka! We're also looking at building officially workflows to run osv-scanner as part of GH Actions soon. @another-rex is the one owning this :) Having existing examples of real users is super helpful! |
This PR features: - Refactors the format flag's internal logic so that we can don't need to repeat the format types so much, and we can test when we add a new format entry if we forgot anything. - Adds a new format "sarif", which returns a SARIF report (closes #216 ) - Adds a Github Action `action.yaml` and it's specialized dockerfile `action.dockerfile`. This docker image runs a bash script wrapping osv-scanner, first by preprocessing the input so the last argument will be split by new line, allowing the workflow user to pass in multiple directories/files they wish to scan. The script also changes exit codes 127 and 128 to 0 as they contain errors that the user can't really do anything about. - Adds two reusable workflows using this new github action for this repo - Reusable PR workflow, for using to check if PRs introduce new vulnerabilities. - Reusable Scheduled workflow, for use to regularly check for new vulns applying to your existing vulns. - Adds an experimental flag: `--experimental-diff`, which will only output the difference between a previous run and this run of the osv-scanner. This is for use in the PR workflow. - Sorts the grouped ID output. Closes #57 Currently the reusable workflow has to point to a specific action which cannot be relative (otherwise it would point to the wrong action when reused in another repo). This means right now it's pointed to this fork/branch instead of the master branch, this will need to be updated once this PR is merged. Example of what workflow sarif output looks like:  Here is an example of the PR reusable workflow working: another-rex/scorecard-check-osv-e2e#1 That PR adds an additional vulnerability, which causes it to fail. You can see that only the new vuln is showing up in the code scanning report: https://github.com/another-rex/scorecard-check-osv-e2e/security/code-scanning/1 TODO after this PR is merged: - Change links that point to this PR branch to point to main (and/or a tagged commit of main) - Add support for annotations - Add documentation (this is for later, as we want to dogfood it in our own repos first before broadcasting this widely) --------- Signed-off-by: Rex P <rexpan@google.com>
For running osv-scanner
The text was updated successfully, but these errors were encountered: