Bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml from 1.9.2 to 2.3.5

[dependabot]

Bumps google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml from 1.9.2 to 2.3.5.

Release notes

Sourced from google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml's releases.

v2.3.5

This updates OSV-Scanner to v2.3.5.

What's Changed

• Update to v2.3.5 by @​tobyhawker in google/osv-scanner-action#124

New Contributors

• @​tobyhawker made their first contribution in google/osv-scanner-action#124

Full Changelog: google/osv-scanner-action@v2.3.3...v2.3.5

v2.3.3

This updates OSV-Scanner to v2.3.3.

What's Changed

• chore(deps): update github/codeql-action action to v4.31.10 by @​renovate-bot in google/osv-scanner-action#115
• Update to v2.3.3 by @​Ly-Joey in google/osv-scanner-action#118

New Contributors

• @​Ly-Joey made their first contribution in google/osv-scanner-action#118

Full Changelog: google/osv-scanner-action@v2.3.2...v2.3.3

v2.3.2

This updates OSV-Scanner to v2.3.2

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

• [Bug #2415](google/osv-scanner#2415) Add more PURL-to-ecosystem mappings
• [Bug #2422](google/osv-scanner#2422) MCP error for get_vulnerability_id because type definition is incorrect.
• [Bug #2460](google/osv-scanner#2460) Enable osv-scanner.json git queries
• [Bug #2456](google/osv-scanner#2456) Properly track if an ignore entry has been used
• [Bug #2450](google/osv-scanner#2450) Performance: Avoid loading the entire advisory unless it will actually be used
• [Bug #2445](google/osv-scanner#2445) Performance: Don't read the entire zip into memory
• [Bug #2433](google/osv-scanner#2433) Allow specifying user agent in v2 osvscanner package

Misc:

• [Misc #2453](google/osv-scanner#2453) Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
• [Misc #2447](google/osv-scanner#2447) Include bun.lock as a supported lockfile
• [Misc #2444](google/osv-scanner#2444) Document GoVersionOverride in configuration.md

Full Changelog: google/osv-scanner@v2.3.1...v2.3.2

v2.3.1

What's Changed

• chore(deps): update workflows (major) by @​renovate-bot in google/osv-scanner-action#105
• chore(deps): update github/codeql-action action to v4.31.7 by @​renovate-bot in google/osv-scanner-action#108

... (truncated)

Commits

• c518547 Merge pull request #124 from google/update-to-v2.3.5
• 1fc5ec2 Update unified workflow example to point to v2.3.5 reusable workflows
• 3d5827d Update reusable workflows to point to v2.3.5 actions
• 7222d1c "Update actions to use v2.3.5 osv-scanner image"
• a30b4c3 Merge pull request #120 from google/lsc-1771431861.8381045
• 62f47c7 Fix missing env var after the initial change
• b7ee968 Refactor Github Action per b/485167538
• c5996e0 Merge pull request #118 from google/update-to-v2.3.3
• f4fac92 Update unified workflow example to point to v2.3.3 reusable workflows
• 8ae4be8 Update reusable workflows to point to v2.3.3 actions
• Additional commits viewable in compare view

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The dependency analysis found no issues. However, the code analysis identified a high-severity supply chain security risk in .github/workflows/osv-scanner-scheduled.yml (line 18): the reusable workflow google/osv-scanner-action is referenced using a mutable version tag (v2.3.5) instead of a pinned, immutable commit SHA. Mutable tags can be silently reassigned by the upstream repository owner or a compromised account to point to malicious code, enabling a supply chain attack within the CI pipeline. This risk is especially critical for a repository under the OpenSSF package-analysis project, where supply chain integrity is a primary concern. Action Required: Replace the mutable tag reference with the full commit SHA corresponding to the v2.3.5 release: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@<full-commit-sha> # v2.3.5

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

The reusable workflow reference uses a mutable tag v2.3.5 instead of a pinned immutable commit SHA. Tags can be reassigned to point to malicious commits, enabling supply chain compromise. Pin the reference to the full commit SHA corresponding to the v2.3.5 release of google/osv-scanner-action.

• Location: .github/workflows/osv-scanner-scheduled.yml:18

• Potential Code Fix:

uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@<full-commit-sha> # v2.3.5

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: bb6d801, performed at: 2026-05-15T02:17:46Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Issue: The reusable workflow reference uses a mutable tag v2.3.5 instead of a pinned immutable commit SHA. Tags can be reassigned to point to malicious commits, enabling supply chain compromise. Pin the reference to the full commit SHA corresponding to the v2.3.5 release of google/osv-scanner-action.

Recommended Code Changes:

uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@<full-commit-sha> # v2.3.5

[kusari-inspector]

Kusari PR Analysis rerun based on - 34a20ea performed at: 2026-05-15T01:58:32Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - bf700f5 performed at: 2026-05-15T02:06:11Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - bb6d801 performed at: 2026-05-15T02:18:02Z - link to updated analysis