OSV-scanner on PR check

Author: kaxuna

.github/workflows/gradle.yml

@@ -0,0 +1,38 @@
+name: OSV-Scanner (PR Check)
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  osv-scan:
+    name: Scan for New Vulnerabilities
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write # Required to upload results to GitHub Security tab
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Important: Fetch full history for diff comparison
+
+      - name: Run OSV-Scanner
+        uses: google/osv-scanner-action@v1
+        with:
+          # This specific config enables the "Diff" logic from your diagram
+          scan-args: |-
+            --recursive
+            --format=sarif
+            --output=results.sarif
+          
+          # Optional: If you want to block the PR on new findings
+          fail-on-vuln: true 
+          
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always() # Upload results even if the scan fails
+        with:
+          sarif_file: results.sarif