diff options
| -rw-r--r-- | .github/workflows/osv-scanner-pr.yml | 17 | ||||
| -rw-r--r-- | .github/workflows/osv-scanner-scheduled.yml | 19 | ||||
| -rw-r--r-- | .github/workflows/osv-scanner.yml | 49 |
3 files changed, 36 insertions, 49 deletions
diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml new file mode 100644 index 0000000000..944fae76b7 --- /dev/null +++ b/.github/workflows/osv-scanner-pr.yml @@ -0,0 +1,17 @@ +--- +name: OSV-Scanner PR Scan + +on: + pull_request: + workflow_dispatch: + +permissions: + # Require writing security events to upload SARIF file to security tab + security-events: write + # Only need to read contents + contents: read + +jobs: + scan-pr: + # yamllint disable rule:line-length + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@f0e45d2960258cf40285d596a10f817af70af1f7" # v1.7.4 diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml new file mode 100644 index 0000000000..a92118abd3 --- /dev/null +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -0,0 +1,19 @@ +--- +name: OSV-Scanner Scheduled Scan + +on: + schedule: + - cron: "30 12 * * 1" + push: + branches: [main] + workflow_dispatch: + +permissions: + # Require writing security events to upload SARIF file to security tab + security-events: write + # Only need to read contents + contents: read + +jobs: + scan-scheduled: + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@f0e45d2960258cf40285d596a10f817af70af1f7" # v1.7.4
\ No newline at end of file diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml deleted file mode 100644 index 31a5d7db51..0000000000 --- a/.github/workflows/osv-scanner.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Scan for vulnerabilities (OSV-scanner) - -on: - pull_request: - push: - branches: ["main"] - schedule: - # At 06:20 UTC every day. Will populate the security tab on github: - # https://github.com/mullvad/mullvadvpn-app/security/advisories - - cron: '20 6 * * *' - workflow_dispatch: - -permissions: - # Require writing security events to upload SARIF file to security tab - security-events: write - # Only need to read contents - contents: read - # Needed to read the workflow from another repository(???) - actions: read - -jobs: - scan-scheduled: - # yamllint disable rule:line-length - if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' }} - # yamllint disable rule:line-length - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@f0e45d2960258cf40285d596a10f817af70af1f7" # v1.7.4 - with: - scan-args: -r --skip-git ./ - scan-pr: - if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - # yamllint disable rule:line-length - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@f0e45d2960258cf40285d596a10f817af70af1f7" # v1.7.4 - with: - scan-args: -r --skip-git ./ |