From bb5f82e360cb2f47a7be9c51870b6e7de85bf02f Mon Sep 17 00:00:00 2001 From: Naomi Most Date: Thu, 26 Feb 2026 21:27:10 -0800 Subject: [PATCH 1/2] Add Dependabot config and OSV-Scanner workflow for vulnerability scanning --- .github/dependabot.yml | 13 ++++++++++++ .github/workflows/osv-scanner.yml | 33 +++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/osv-scanner.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..08f9948bc --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + reviewers: + - "v1r3n" + - "c4lm" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 000000000..ef3992d64 --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,33 @@ +name: OSV-Scanner Vulnerability Scan + +on: + pull_request: + branches: [main] + push: + branches: [main] + schedule: + - cron: '0 6 * * 1' # Weekly Monday 6am UTC + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + osv-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run OSV-Scanner + uses: google/osv-scanner-action/osv-scanner-action@v2 + with: + scan-args: |- + --recursive + ./ + + - name: Upload SARIF + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From a3fcc7be0027309a0c299a132b8972b19063bc2f Mon Sep 17 00:00:00 2001 From: Naomi Most Date: Fri, 27 Feb 2026 01:41:21 -0800 Subject: [PATCH 2/2] Fix OSV-Scanner workflow to use reusable workflows Split into PR scan and scheduled scan workflows using the official google/osv-scanner-action reusable workflow pattern. --- .github/workflows/osv-scanner-scheduled.yml | 16 ++++++++++++ .github/workflows/osv-scanner.yml | 27 ++++----------------- 2 files changed, 21 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/osv-scanner-scheduled.yml diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml new file mode 100644 index 000000000..5bcf06d6c --- /dev/null +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -0,0 +1,16 @@ +name: OSV-Scanner Scheduled Scan + +on: + schedule: + - cron: '0 6 * * 1' # Weekly Monday 6am UTC + push: + branches: [main] + +permissions: + actions: read + contents: read + security-events: write + +jobs: + scan-scheduled: + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.3" diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index ef3992d64..5d573f05a 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -1,33 +1,16 @@ -name: OSV-Scanner Vulnerability Scan +name: OSV-Scanner PR Scan on: pull_request: branches: [main] - push: + merge_group: branches: [main] - schedule: - - cron: '0 6 * * 1' # Weekly Monday 6am UTC - workflow_dispatch: permissions: + actions: read contents: read security-events: write jobs: - osv-scan: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Run OSV-Scanner - uses: google/osv-scanner-action/osv-scanner-action@v2 - with: - scan-args: |- - --recursive - ./ - - - name: Upload SARIF - if: always() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif + scan-pr: + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.3"