Skip to content

Commit

Permalink
build: use osv-scanner-reusable GitHub Action
Browse files Browse the repository at this point in the history
  • Loading branch information
bestbeforetoday committed Jun 11, 2024
1 parent 2c4dce9 commit e7d6433
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 22 deletions.
27 changes: 5 additions & 22 deletions .github/workflows/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,28 +34,11 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: gradle/actions/wrapper-validation@v3
osv-scanner:
runs-on: ubuntu-latest
continue-on-error: true
strategy:
fail-fast: false
matrix:
project:
- core
- isthmus
- isthmus-cli
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
- name: Install OSV-Scanner
run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1
- name: Generate SBOM
run: ./gradlew :${{ matrix.project }}:cyclonedxBom
- name: Scan
run: osv-scanner scan --sbom ${{ matrix.project }}/build/reports/bom.json
scan:
uses: ./.github/workflows/vulnerability-scan.yml
permissions:
contents: read
security-events: write
java:
name: Build and Test Java
runs-on: ubuntu-latest
Expand Down
42 changes: 42 additions & 0 deletions .github/workflows/vulnerability-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Security vulnerability scan

on:
workflow_call:

permissions:
contents: read

jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Generate SBOM
run: ./gradlew cyclonedxBom
- uses: actions/upload-artifact@v4
with:
name: cyclonedx-sboms
path: |
core/build/reports/bom.json
isthmus/build/reports/bom.json
isthmus-cli/build/reports/bom.json
scan:
needs: sbom
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
project:
- core
- isthmus
- isthmus-cli
uses: google/osv-scanner-action/.github/workflows/[email protected]
with:
download-artifact: cyclonedx-sboms
scan-args: |-
--sbom=${{ matrix.project }}/build/reports/bom.json

0 comments on commit e7d6433

Please sign in to comment.