Skip to content

OSV-Scanner Scan

OSV-Scanner Scan #5

# runs vulnerability scans and add them to Github Security tab
name: OSV-Scanner Scan
on:
workflow_dispatch:
schedule:
- cron: "0 6 * * 1"
permissions: {}
jobs:
scan-scheduled:
permissions:
actions: read
contents: read
security-events: write # for uploading SARIF files
if: ${{ github.repository == 'metal3-io/cluster-api-provider-metal3' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Calculate go version
id: vars
run: echo "go_version=$(make go-version)" >> "${GITHUB_OUTPUT}"
- name: Set up Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: ${{ steps.vars.outputs.go_version }}
- name: Install OSV Scanner
run: go install github.com/google/osv-scanner/cmd/osv-scanner@b13f37e1a1e4cb98556c1d34cd3256a876929be1 # v1.9.1
- name: Run OSV Scanner
run: |
osv-scanner scan \
--format json --output results.json --recursive --skip-git \
--config=<( echo "GoVersionOverride = \"${{ steps.vars.outputs.go_version }}\"" ) \
./
continue-on-error: true
- name: "Run OSV Scanner Reporter"
uses: google/osv-scanner/actions/reporter@1e295ee11c5e107886e58bacb04228325082146f # v1.9.2
with:
scan-args: |-
--output=results.sarif
--new=results.json
--gh-annotations=false
continue-on-error: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
with:
sarif_file: results.sarif