Skip to content

fix(security): osv-scanner exit 128 is not a failure#11

Merged
WomB0ComB0 merged 1 commit into
mainfrom
fix/osv-128
Apr 15, 2026
Merged

fix(security): osv-scanner exit 128 is not a failure#11
WomB0ComB0 merged 1 commit into
mainfrom
fix/osv-128

Conversation

@WomB0ComB0
Copy link
Copy Markdown
Member

@WomB0ComB0 WomB0ComB0 commented Apr 15, 2026
edited by coderabbitai Bot
Loading

osv-scanner v2 returns exit 128 when a repo has no package manifests (scripts-only repos like dev). Map to exit 0; other codes still propagate.

Summary by CodeRabbit

  • Chores
    • Enhanced security scan workflow to gracefully handle cases where no package sources are detected, preventing unnecessary build failures during scanning operations.

@WomB0ComB0
fix(security): treat 'no package sources' as pass in osv-scanner
0d495c7 
osv-scanner v2 exits 128 when a target has no package manifests
(e.g. scripts-only repos like resq-software/dev). That's not a failure —
it just means there's nothing to scan. Map 128 → exit 0 and leave all
other exit codes as-is.
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented Apr 15, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 15, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d242a111-a4a6-4c9c-98e9-42f01030c890

📥 Commits

Reviewing files that changed from the base of the PR and between 3dfbe86 and 0d495c7.

📒 Files selected for processing (1)
  • .github/workflows/security-scan.yml
📝 Walkthrough

Walkthrough

The OSV-Scanner step in the security workflow now conditionally treats exit code 128 (no package sources found) as success, while preserving failure behavior for other non-zero exit codes. Previously, any non-zero exit would fail the step unconditionally.

Changes

Cohort / File(s) Summary
OSV-Scanner Error Handling
.github/workflows/security-scan.yml		 Added conditional exit code handling to treat code 128 as success (exit 0) when no package sources are found, while preserving failure for other non-zero codes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A scanner hops through the code with care,
Finding packages hiding here and there,
But when the sources vanish from sight,
Exit code 128 now does right—
No failure blamed when nothing's there!

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/osv-128

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@WomB0ComB0 WomB0ComB0 merged commit 9069479 into main Apr 15, 2026
4 of 5 checks passed
@WomB0ComB0 WomB0ComB0 deleted the fix/osv-128 branch April 15, 2026 05:18
WomB0ComB0 added a commit that referenced this pull request Jun 1, 2026
@WomB0ComB0
ci(security-scan): declare workflow_call.secrets so callers can pass …
50e35ec 
…by name

The reusable security-scan workflow consumes SEMGREP_APP_TOKEN, SNYK_TOKEN
and GITLEAKS_LICENSE in its jobs but did not declare them under
workflow_call, forcing callers to use `secrets: inherit` -- which forwards
ALL of the caller's secrets and trips zizmor's `secrets-inherit` audit
(e.g. resq-software/programs alert #11). Declare them explicitly (all
required: false, each gated by its enable-* input). Backward-compatible.
@WomB0ComB0 WomB0ComB0 mentioned this pull request Jun 1, 2026
Merged
2 tasks
WomB0ComB0 added a commit that referenced this pull request Jun 1, 2026
@WomB0ComB0
ci(security-scan): declare workflow_call.secrets so callers can pass …
b48036a 
…by name (#21)

The reusable security-scan workflow consumes SEMGREP_APP_TOKEN, SNYK_TOKEN
and GITLEAKS_LICENSE in its jobs but did not declare them under
workflow_call, forcing callers to use `secrets: inherit` -- which forwards
ALL of the caller's secrets and trips zizmor's `secrets-inherit` audit
(e.g. resq-software/programs alert #11). Declare them explicitly (all
required: false, each gated by its enable-* input). Backward-compatible.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WomB0ComB0