Recreated Github Action PR

[another-rex]

This PR features:

• Refactors the format flag's internal logic so that we can don't need to repeat the format types so much, and we can test when we add a new format entry if we forgot anything.
• Adds a new format "sarif", which returns a SARIF report (closes Add support for SARIF output #216 )
• Adds a Github Action action.yaml and it's specialized dockerfile action.dockerfile. This docker image runs a bash script wrapping osv-scanner, first by preprocessing the input so the last argument will be split by new line, allowing the workflow user to pass in multiple directories/files they wish to scan. The script also changes exit codes 127 and 128 to 0 as they contain errors that the user can't really do anything about.
• Adds two reusable workflows using this new github action for this repo
  • Reusable PR workflow, for using to check if PRs introduce new vulnerabilities.
  • Reusable Scheduled workflow, for use to regularly check for new vulns applying to your existing vulns.
• Adds an experimental flag: --experimental-diff, which will only output the difference between a previous run and this run of the osv-scanner. This is for use in the PR workflow.
• Sorts the grouped ID output.

Closes #57

Currently the reusable workflow has to point to a specific action which cannot be relative (otherwise it would point to the wrong action when reused in another repo). This means right now it's pointed to this fork/branch instead of the master branch, this will need to be updated once this PR is merged.

Example of what workflow sarif output looks like:

Here is an example of the PR reusable workflow working:

another-rex/scorecard-check-osv-e2e#1

That PR adds an additional vulnerability, which causes it to fail. You can see that only the new vuln is showing up in the code scanning report: https://github.com/another-rex/scorecard-check-osv-e2e/security/code-scanning/1

TODO after this PR is merged:

• Change links that point to this PR branch to point to main (and/or a tagged commit of main)
• Add support for annotations
• Add documentation (this is for later, as we want to dogfood it in our own repos first before broadcasting this widely)

[another-rex]

Here is an example of the PR reusable workflow working:

another-rex/scorecard-check-osv-e2e#1

That PR adds an additional vulnerability, which causes it to fail. You can see that only the new vuln is showing up in the code scanning report: https://github.com/another-rex/scorecard-check-osv-e2e/security/code-scanning/1

[oliverchang]

nice! some minor comments/questions.

[oliverchang]

Do we need to update all of these references to google/osv-scanner@main ?

[another-rex]

Yes we do, but only after this is already merged, otherwise I think it will prevent merging as the action will fail. Maybe a better way is to merge only the code part and have a separate PR for the workflows part.

[oliverchang]

is required: false required if there is a default ?

[another-rex]

I don't think it's required, but I think it's clearer to explicitly state it for all for all inputs.

[G-Rath]

Random note because frankly its weird imo and super easy to miss: required isn't actually enforced "yet"

[oliverchang]

Is there anything in particular blocking this PR from merging at this point?