feat(security): add github workflow to check dependencies
This workflow action uses OSV Scanner, an open source vulnerability scanner by Google. We're using OSV Scanner because it has: * good usability - JSON output and multiple options * good accuracy - OSV database from google and support for multiple languages including PHP
This commit is contained in:
parent
47fc1a2943
commit
8eb5b3467a
19
.github/workflows/check-dependencies.yml
vendored
Normal file
19
.github/workflows/check-dependencies.yml
vendored
Normal file
|
@ -0,0 +1,19 @@
|
|||
name: Check dependencies
|
||||
|
||||
# Adapted from https://google.github.io/osv-scanner/github-action/#scan-on-pull-request
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [main, 1.*.x]
|
||||
merge_group:
|
||||
branches: [main, 1.*.x]
|
||||
|
||||
permissions:
|
||||
# Require writing security events to upload SARIF file to security tab
|
||||
security-events: write
|
||||
# Only need to read contents
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
scan-pr:
|
||||
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.7.1"
|
27
.github/workflows/osv-scanner.yml
vendored
27
.github/workflows/osv-scanner.yml
vendored
|
@ -1,27 +0,0 @@
|
|||
name: OSV Scanner
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
push:
|
||||
|
||||
jobs:
|
||||
OSV-Scanner:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Install Golang
|
||||
uses: actions/setup-go@v4
|
||||
with:
|
||||
go-version: '1.19'
|
||||
|
||||
- name: Install OSV Scanner
|
||||
run: |
|
||||
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
|
||||
|
||||
- name: Scan for Vulnerabilities
|
||||
run: |
|
||||
osv-scanner -r .
|
Loading…
Reference in a new issue