Add a scheduled vulnerability scan (#464)

bestbeforetoday · web-flow · commit 00f89fdf1dc8 · 2025-11-17T13:26:17.000-05:00
Scan both the current development codebase and latest release for
vulnerabilities in dependencies.

Signed-off-by: Mark S. Lewis &lt;Mark.S.Lewis@outlook.com&gt;
diff --git a/.github/actions/scan/action.yml b/.github/actions/scan/action.yml
@@ -0,0 +1,26 @@
+name: "Security vulnerability scan"
+inputs:
+  path:
+    description: Path to scan
+    required: false
+    default: "."
+
+runs:
+  using: composite
+  steps:
+    - name: Scan
+      id: scan
+      shell: bash
+      run: |
+        SOURCE_PATH="$(cd "${{ inputs.path }}" > /dev/null && pwd)"
+        docker run --rm \
+          --volume "${SOURCE_PATH}/:/src" \
+          ghcr.io/google/osv-scanner:latest \
+          scan \
+          --lockfile=/src/go.mod \
+          --format=markdown > osv-scanner.md
+    - name: Report failure
+      if: ${{ failure() && steps.scan.conclusion == 'failure' }}
+      shell: bash
+      run: |
+        cat osv-scanner.md >> ${GITHUB_STEP_SUMMARY}
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -0,0 +1,37 @@
+name: "Security vulnerability scan"
+
+on:
+  schedule:
+    - cron: "22 22 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  dev:
+    name: Scan development codebase
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: ./.github/actions/scan
+
+  release:
+    name: Scan latest release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: |
+            .github
+      - name: Get latest releast tag
+        id: latest-release
+        run: echo "TAG=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"
+      - name: Checkout release ${{ steps.latest-release.outputs.TAG }}
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ steps.latest-release.outputs.TAG }}
+          path: src
+      - uses: ./.github/actions/scan
+        with:
+          path: src
diff --git a/Makefile b/Makefile
@@ -242,3 +242,11 @@ dist-clean:
 	-@rm -rf release/linux-arm64/hyperledger-fabric-ca-linux-arm64-$(RELEASE_VERSION).tar.gz ||:
 
 .FORCE:
+
+.PHONY: install-osv-scanner
+install-osv-scanner:
+	go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
+
+.PHONY: scan
+scan: install-osv-scanner
+	osv-scanner scan --lockfile=go.mod
