Skip to content

Remove OSV-Scanner workflow configuration #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
HackingRepo merged 1 commit into from
Feb 10, 2026
Merged

Remove OSV-Scanner workflow configuration #29

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 0 additions & 36 deletions .github/workflows/osv-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,37 +1 @@
name: OSV-Scanner
Copy link

@qodo-code-review qodo-code-review bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Dependency scan coverage regression 🐞 Bug ⛨ Security

The PR removes the OSV-Scanner workflow that previously ran on PR/push/schedule, and the remaining
workflows don’t appear to run dependency/SCA vulnerability checks (e.g., osv-scanner, npm audit,
snyk test for open-source deps) or upload such results as SARIF. This reduces visibility into
known vulnerable dependencies compared to before.
Agent Prompt 
### Issue description
The OSV-Scanner workflow has been removed, and the repo no longer appears to run a dependency/SCA vulnerability scan as part of PR/push/schedule automation.

### Issue Context
- Node CI installs dependencies but does not run an audit.
- The existing Snyk workflow runs `command: code test` (SAST), not dependency testing.
- Dependabot version updates are configured, but that does not provide an on-PR SCA scan/SARIF signal.

### Fix Focus Areas
- .github/workflows/osv-scanner.yml[1-1]
- .github/workflows/node.js.yml[4-33]
- .github/workflows/snyk-infrastructure.yml[34-42]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Copy link

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Empty osv workflow 🐞 Bug ⛨ Security

.github/workflows/osv-scanner.yml is now empty, so OSV-Scanner will not run anymore (and the
workflow file may be considered invalid by GitHub Actions). This removes an existing security
control from PR/push/scheduled CI.
Agent Prompt 
## Issue description
The OSV scanner workflow file is empty, so the OSV scan will not run.

## Issue Context
This PR removed all prior workflow configuration from `.github/workflows/osv-scanner.yml`. An empty workflow file disables the scan and may be treated as invalid by GitHub Actions.

## Fix Focus Areas
- .github/workflows/osv-scanner.yml[1-1]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Copy link

@qodo-code-review qodo-code-review bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Invalid empty workflow 🐞 Bug ⛯ Reliability

The OSV workflow file now contains only a blank line (no name, on, or jobs), which is likely
an invalid GitHub Actions workflow and can create persistent “invalid workflow” noise/confusion in
the repo’s Actions configuration. If the intent was to remove OSV scanning, the file should be
deleted rather than left empty.
Agent Prompt 
### Issue description
`.github/workflows/osv-scanner.yml` is currently empty. An empty file in `.github/workflows/` is at best dead configuration and at worst an invalid workflow that produces GitHub Actions configuration errors/noise.

### Issue Context
The PR removed the full OSV-Scanner workflow content but left the file present with a single blank line.

### Fix Focus Areas
- .github/workflows/osv-scanner.yml[1-1]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

on:
pull_request:
branches: [ "main", "DSSRF_Branch_Rule" ]
merge_group:
branches: [ "main", "DSSRF_Branch_Rule" ]
schedule:
- cron: '* * * * *'
push:
branches: [ "main", "DSSRF_Branch_Rule" ]

permissions:
# Require writing security events to upload SARIF file to security tab
security-events: write
# Read commit contents
contents: read

jobs:
scan-scheduled:
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
with:
# Example of specifying custom arguments
scan-args: |-
-r
--skip-git
./
scan-pr:
if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
with:
# Example of specifying custom arguments
scan-args: |-
-r
--skip-git
./
Loading