gitbutler/.github/workflows/osv-scanner.yml at 28c909d82454d29eae81971fc79f426d2c84e8a3 · gitbutlerapp/gitbutler · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: OSV-Scanner

on:
  pull_request:
    branches: ["master"]
  merge_group:
    branches: ["master"]
  schedule:
    - cron: "40 4 * * 5"
  push:
    branches: ["master"]

jobs:
  scan-default-branch:
    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Run scanner
        uses: google/osv-scanner-action/osv-scanner-action@c5996e0193a3df57d695c1b8a1dec2a4c62e8730 # v2.3.3
        with:
          scan-args: |-
            --output=results.sarif
            --format=sarif
            -r
            ./
        continue-on-error: true
      - name: Check SARIF output
        if: ${{ !cancelled() }}
        run: |
          if [ ! -f results.sarif ]; then
            echo "::error::OSV scanner did not produce results.sarif; the scan likely failed."
            exit 1
          fi
      - name: Upload artifact
        if: ${{ !cancelled() && hashFiles('results.sarif') != '' }}
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: osv-scanner-sarif-default-${{ github.run_id }}-${{ github.run_attempt }}
          path: results.sarif
          retention-days: 5
      - name: Upload to code-scanning
        if: ${{ !cancelled() && hashFiles('results.sarif') != '' }}
        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          sarif_file: results.sarif
      - name: Report vulnerabilities
        if: ${{ !cancelled() && hashFiles('results.sarif') != '' }}
        run: |
          findings="$(jq '[.runs[].results[]?] | length' results.sarif)"
          if [ "${findings}" -gt 0 ]; then
            echo "::warning::OSV found ${findings} vulnerabilities on default branch scan."
          fi

  scan-pr:
    if: ${{ github.event_name == 'merge_group' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) }}
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 2
      - name: Checkout target branch
        run: |
          target_ref="$(jq -r '
            if .pull_request then
              .pull_request.base.sha
            elif .merge_group then
              (.merge_group.base_sha // .merge_group.base_ref // empty)
            else
              empty
            end
          ' "$GITHUB_EVENT_PATH")"

          if [ -z "${target_ref}" ]; then
            echo "::error::Unable to determine target ref for ${GITHUB_EVENT_NAME}."
            exit 1
          fi

          if ! git checkout "${target_ref}"; then
            git fetch --no-tags origin "${target_ref}"
            git checkout FETCH_HEAD
          fi
      - name: Run scanner on existing code
        uses: google/osv-scanner-action/osv-scanner-action@c5996e0193a3df57d695c1b8a1dec2a4c62e8730 # v2.3.3
        with:
          scan-args: |-
            --format=json
            --output=old-results.json
            -r
            ./
        continue-on-error: true
      - name: Checkout current branch
        run: git checkout -f "$GITHUB_SHA"
      - name: Run scanner on new code
        uses: google/osv-scanner-action/osv-scanner-action@c5996e0193a3df57d695c1b8a1dec2a4c62e8730 # v2.3.3
        with:
          scan-args: |-
            --format=json
            --output=new-results.json
            -r
            ./
        continue-on-error: true
      - name: Check scan outputs
        id: check_scan_outputs
        if: ${{ always() && !cancelled() }}
        run: |
          missing=0
          for result in old-results.json new-results.json; do
            if [ ! -f "${result}" ]; then
              echo "::error::Missing ${result}; OSV scan likely failed before producing output."
              missing=1
            fi
          done
          exit "${missing}"
        continue-on-error: true
      - name: Run reporter
        id: run_reporter
        if: ${{ always() && !cancelled() && steps.check_scan_outputs.outcome == 'success' }}
        uses: google/osv-scanner-action/osv-reporter-action@c5996e0193a3df57d695c1b8a1dec2a4c62e8730 # v2.3.3
        with:
          scan-args: |-
            --output=results.sarif
            --old=old-results.json
            --new=new-results.json
            --gh-annotations=true
            --fail-on-vuln=true
        continue-on-error: true
      - name: Check reporter output
        id: check_reporter_output
        if: ${{ always() && !cancelled() && steps.run_reporter.outcome != 'skipped' }}
        run: |
          if [ ! -f results.sarif ]; then
            echo "::error::OSV reporter did not produce results.sarif."
            exit 1
          fi
      - name: Upload artifact
        if: ${{ always() && !cancelled() && hashFiles('results.sarif') != '' }}
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: osv-scanner-sarif-pr-${{ github.run_id }}-${{ github.run_attempt }}
          path: results.sarif
          retention-days: 5
      - name: Upload old scan json results
        if: ${{ always() && !cancelled() && hashFiles('old-results.json') != '' }}
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: osv-scanner-old-json-${{ github.run_id }}-${{ github.run_attempt }}
          path: old-results.json
          retention-days: 5
      - name: Upload new scan json results
        if: ${{ always() && !cancelled() && hashFiles('new-results.json') != '' }}
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: osv-scanner-new-json-${{ github.run_id }}-${{ github.run_attempt }}
          path: new-results.json
          retention-days: 5
      - name: Upload to code-scanning
        if: ${{ always() && !cancelled() && hashFiles('results.sarif') != '' }}
        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          sarif_file: results.sarif
      - name: Fail on vulnerabilities introduced by PR
        if: ${{ always() && !cancelled() && (steps.check_scan_outputs.outcome == 'failure' || steps.run_reporter.outcome == 'failure' || steps.check_reporter_output.outcome == 'failure') }}
        run: |
          echo "::error::OSV PR scan failed (scan output missing, reporter failure, or vulnerabilities introduced). See logs and artifacts."
          exit 1