Skip to content
OSV Scanner

build(deps): Bump step-security/harden-runner from 2.14.0 to 2.14.2 #1319

Sign in to view logs

build(deps): Bump step-security/harden-runner from 2.14.0 to 2.14.2

build(deps): Bump step-security/harden-runner from 2.14.0 to 2.14.2 #1319

Workflow file for this run

.github/workflows/osv-scanner.yml at 893f27e
---
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: OSV Scanner
on:
workflow_dispatch:
push:
branches:
- main
pull_request:
branches:
- main
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
# Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
actions: read
# Require writing security events to upload SARIF file to security tab
security-events: write
# Only need to read contents
contents: read
jobs:
osv_scanner_job:
runs-on: ubuntu-latest
name: Scan for vulns
steps:
- name: Harden Runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
disable-sudo: false
egress-policy: block
allowed-endpoints: >
api.cloudflare.com:443
api.deps.dev:443
api.github.com:443
api.gumroad.com:443
api.osv.dev:443
api.scorecard.dev:443
api.securityscorecards.dev:443
checkpoint-api.hashicorp.com:443
fulcio.sigstore.dev:443
get.opentofu.org:443
ghcr.io:443
github.com:443
gitlab.com:443
golang.org:443
goreleaser.com:443
objects.githubusercontent.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
osv-vulnerabilities.storage.googleapis.com:443
pkg-containers.githubusercontent.com:443
proxy.golang.org:443
registry.npmjs.org:443
rekor.sigstore.dev:443
releases.hashicorp.com:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
tuf-repo-cdn.sigstore.dev:443
uploads.github.com:443
vuln.go.dev:443
www.bestpractices.dev:443
- name: Checkout Source
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: "Run scanner on existing code"
uses: google/osv-scanner-action/osv-scanner-action@2a387edfbe02a11d856b89172f6e978100177eb4 # v2.2.1
continue-on-error: true
with:
scan-args: |-
--format=json
--output=results.json
--recursive .