From d71bd08a70b18bd081cd6257632fea5101d34d99 Mon Sep 17 00:00:00 2001
From: "Mark S. Lewis" <Mark.S.Lewis@outlook.com>
Date: Tue, 11 Jun 2024 19:40:00 +0100
Subject: [PATCH] build: use osv-scanner-reusable GitHub Action

---
 .github/workflows/pr.yml                 | 24 ++------------
 .github/workflows/vulnerability-scan.yml | 42 ++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 22 deletions(-)
 create mode 100644 .github/workflows/vulnerability-scan.yml

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index f59c16e95..59eb7ec9e 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -34,28 +34,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: gradle/actions/wrapper-validation@v3
-  osv-scanner:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    strategy:
-      fail-fast: false
-      matrix:
-        project:
-          - core
-          - isthmus
-          - isthmus-cli
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-      - name: Install OSV-Scanner
-        run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1
-      - name: Generate SBOM
-        run: ./gradlew :${{ matrix.project }}:cyclonedxBom
-      - name: Scan
-        run: osv-scanner scan --sbom ${{ matrix.project }}/build/reports/bom.json
+  scan:
+    uses: ./.github/workflows/vulnerability-scan.yml
   java:
     name: Build and Test Java
     runs-on: ubuntu-latest
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
new file mode 100644
index 000000000..14645d8ba
--- /dev/null
+++ b/.github/workflows/vulnerability-scan.yml
@@ -0,0 +1,42 @@
+name: Security vulnerability scan
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+      - name: Generate SBOM
+        run: ./gradlew cyclonedxBom
+      - uses: actions/upload-artifact@v4
+        with:
+          name: cyclonedx-sboms
+          path: |
+            core/build/reports/bom.json
+            isthmus/build/reports/bom.json
+            isthmus-cli/build/reports/bom.json
+  scan:
+    needs: sbom
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - core
+          - isthmus
+          - isthmus-cli
+    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.7.4
+    with:
+      download-artifact: cyclonedx-sboms
+      scan-args: |-
+        --sbom=${{ matrix.project }}/build/reports/bom.json