OSV-scanner on PR check #67
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OSV-Scanner (PR Check) | |
| on: | |
| pull_request: | |
| branches: [ "main" ] | |
| jobs: | |
| osv-scan: | |
| name: Scan for New Vulnerabilities | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write # Required to upload results to GitHub Security tab | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Important: Fetch full history for diff comparison | |
| - name: Run OSV-Scanner | |
| uses: google/osv-scanner-action@v1 | |
| with: | |
| # This specific config enables the "Diff" logic from your diagram | |
| scan-args: |- | |
| --recursive | |
| --format=sarif | |
| --output=results.sarif | |
| # Optional: If you want to block the PR on new findings | |
| fail-on-vuln: true | |
| - name: Upload SARIF results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() # Upload results even if the scan fails | |
| with: | |
| sarif_file: results.sarif |