Skip to content
OSV-Scanner PR Scan

Add *ready tag* check #5

Sign in to view logs

Add *ready tag* check

Add *ready tag* check #5

Workflow file for this run

.github/workflows/osv-scanner-pr.yml at f21748a
---
name: OSV-Scanner PR Scan
# see https://github.com/google/osv-scanner/blob/main/.github/workflows/osv-scanner-reusable-pr.yml
on:
pull_request:
branches: [main]
merge_group:
branches: [main]
permissions:
# Require writing security events to upload SARIF file to security tab
security-events: write
# Only need to read contents
contents: read
jobs:
scan-pr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# Do persist credentials, as we need it for the git checkout later
- name: "Checkout target branch"
run: git checkout $GITHUB_BASE_REF
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: "Setup venv"
run: python -m venv venv
- name: "Install in venv"
run: ./venv/bin/pip install -e .
- name: "Freeze dependencies"
run: ./venv/bin/pip freeze > ./requirements.txt
- name: "Run scanner on requirements.txt"
uses: google/osv-scanner/actions/scanner@main
continue-on-error: true
with:
scan-args: |-
--format=json
--output=old-results.json
--lockfile=./requirements.txt
- name: "Cleanup venv"
run: rm -rf ./venv
- name: "Checkout current branch"
run: git checkout $GITHUB_SHA
- name: "Setup venv"
run: python -m venv venv
- name: "Install in venv"
run: ./venv/bin/pip install -e .
- name: "Freeze dependencies"
run: ./venv/bin/pip freeze > ./requirements.txt
- name: "Run scanner on new code"
uses: google/osv-scanner/actions/scanner@main
with:
scan-args: |-
--format=json
--output=new-results.json
--lockfile=./requirements.txt
continue-on-error: true
- name: "Run osv-scanner-reporter"
uses: google/osv-scanner/actions/reporter@main
with:
scan-args: |-
--output=results.sarif
--old=old-results.json
--new=new-results.json
--gh-annotations=true
--fail-on-vuln=true
# Upload the results as artifacts (optional).
- name: "Upload artifact"
if: "!cancelled()"
uses: actions/upload-artifact@v4
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: "Upload old scan json results"
if: "!cancelled()"
uses: actions/upload-artifact@v4
with:
name: old-json-results
path: old-results.json
retention-days: 5
- name: "Upload new scan json results"
if: "!cancelled()"
uses: actions/upload-artifact@v4
with:
name: new-json-results
path: new-results.json
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
# - name: "Upload to code-scanning"
# if: "!cancelled()"
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: results.sarif