Skip to content

Open Source Vulnerabilities Scanner #709

Open Source Vulnerabilities Scanner

Open Source Vulnerabilities Scanner #709

## %CopyrightBegin%
##
## Copyright Ericsson AB 2024. All Rights Reserved.
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
## %CopyrightEnd%
## Runs the Google OSV-scanner utility to detect known vulnerabilities.
## The scan is run on each PR/push and also periodically on each maintained branch
name: Open Source Vulnerabilities Scanner
on:
pull_request:
push:
workflow_dispatch:
schedule:
- cron: 0 1 * * *
permissions:
contents: read
jobs:
schedule-scan:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' && github.repository == 'erlang/otp'
# if: github.event_name != 'workflow_dispatch' # used for testing
outputs:
versions: ${{ steps.get-versions.outputs.versions }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
- id: get-versions
name: Fetch latest 3 OTP versions
run: |
echo "versions=$(.github/scripts/get-supported-branches.sh)" >> "$GITHUB_OUTPUT"
run-scheduled-scan:
# Fan out and create requests to run OSV on multiple branches.
# It always succeed: either it sends requests to branches that
# can run 'scan-pr' (if the repo/branch contains this file) or
# skips sending the request.
needs: schedule-scan
runs-on: ubuntu-latest
strategy:
matrix:
type: ${{ fromJson(needs.schedule-scan.outputs.versions) }}
fail-fast: false
permissions:
actions: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
with:
ref: ${{ matrix.type }}
- name: Trigger Vulnerability Scanning
env:
GH_TOKEN: ${{ github.token }}
if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }}
run: |
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \
-f "ref=${{ matrix.type }}"
scan-pr:
# run-scheduled-scan triggers this job
# PRs and pushes trigger this job
if: github.event_name != 'schedule'
permissions:
# Require writing security events to upload SARIF file to security tab
security-events: write
# Required to upload SARIF file to CodeQL.
# See: https://github.com/github/codeql-action/issues/2117
actions: read
contents: read
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b" # ratchet:google/osv-scanner-action/.github/workflows/[email protected]