feat(security): add github workflow to check dependencies
This workflow action uses OSV Scanner, an open source vulnerability scanner by Google. We're using OSV Scanner because it has: * good usability - JSON output and multiple options * good accuracy - OSV database from google and support for multiple languages including PHP
This commit is contained in:
parent
47fc1a2943
commit
8eb5b3467a
19
.github/workflows/check-dependencies.yml
vendored
Normal file
19
.github/workflows/check-dependencies.yml
vendored
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
name: Check dependencies
|
||||||
|
|
||||||
|
# Adapted from https://google.github.io/osv-scanner/github-action/#scan-on-pull-request
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
branches: [main, 1.*.x]
|
||||||
|
merge_group:
|
||||||
|
branches: [main, 1.*.x]
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
# Require writing security events to upload SARIF file to security tab
|
||||||
|
security-events: write
|
||||||
|
# Only need to read contents
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
scan-pr:
|
||||||
|
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.7.1"
|
27
.github/workflows/osv-scanner.yml
vendored
27
.github/workflows/osv-scanner.yml
vendored
|
@ -1,27 +0,0 @@
|
||||||
name: OSV Scanner
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
push:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
OSV-Scanner:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
with:
|
|
||||||
fetch-depth: 0
|
|
||||||
|
|
||||||
- name: Install Golang
|
|
||||||
uses: actions/setup-go@v4
|
|
||||||
with:
|
|
||||||
go-version: '1.19'
|
|
||||||
|
|
||||||
- name: Install OSV Scanner
|
|
||||||
run: |
|
|
||||||
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
|
|
||||||
|
|
||||||
- name: Scan for Vulnerabilities
|
|
||||||
run: |
|
|
||||||
osv-scanner -r .
|
|
Loading…
Reference in a new issue