diff --git a/.github/workflows/osv-scanner-unified-workflow.yml b/.github/workflows/osv-scanner-unified-workflow.yml new file mode 100644 index 00000000..5031765d --- /dev/null +++ b/.github/workflows/osv-scanner-unified-workflow.yml @@ -0,0 +1,53 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: OSV-Scanner + +on: + pull_request: + branches: ["main"] + merge_group: + types: [checks_requested] + schedule: + - cron: "12 12 * * 1" + push: + branches: ["main"] + +permissions: + # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117 + actions: read + # Require writing security events to upload SARIF file to security tab + security-events: write + # Read commit contents + contents: read + +jobs: + scan-scheduled: + if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@3adb4b14a2b0623876d18d863a498b785fb3752d" # v2.3.8 + with: + # Example of specifying custom arguments + scan-args: |- + --include-git-root + -r + ./ + scan-pr: + if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@3adb4b14a2b0623876d18d863a498b785fb3752d" # v2.3.8 + with: + # Example of specifying custom arguments + scan-args: |- + --include-git-root + -r + ./ diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 00000000..56c06782 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,4 @@ +[[IgnoredVulns]] +id = "MAL-2026-6561" +# ignoreUntil = 2022-11-09 # Optional exception expiry date +reason = "No actual action can be taken as the pypi has already removed it"