jprdonnelly/butler-sos
1
0
Fork 0
mirror of https://github.com/ptarmiganlabs/butler-sos.git synced 2025-12-25 01:02:50 -05:00
Code Issues Projects Releases Wiki Activity

build: Add OSV-Scanner scheduled workflow for automated vulnerability scanning

Browse Source
This commit is contained in:
Göran Sander
2025-07-30 17:47:14 +02:00
parent a13b1e36dc
commit 803fd4dfeb
2 changed files with 50 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.github/workflows/osv-scanner-scheduled.yml vendored Normal file
View File

@@ -0,0 +1,21 @@
name: OSV-Scanner Scheduled Scan
on:
schedule:
# Run daily at 02:00 UTC (03:00 CET)
- cron: '0 2 * * *'
# Also run on push to master branch
push:
branches: [master]
permissions:
# Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
actions: read
# Require writing security events to upload SARIF file to security tab
security-events: write
# Only need to read contents
contents: read
jobs:
scan-scheduled:
uses: 'google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.0.3'

37
BUILD_PROCESS_ANALYSIS.md
View File

@@ -214,12 +214,33 @@ jobs:
**OSV Scanner (Google) - FREE vulnerability scanning**: **OSV Scanner (Google) - FREE vulnerability scanning**:
```bash **Current Implementation**: ✅ **Active** - OSV-scanner scheduled workflow configured
# Install OSV Scanner
go install github.com/google/osv-scanner/cmd/osv-scanner@latest **Current Setup**:
# Or use in GitHub Actions
-**Scheduled daily scans** at 03:00 CET (02:00 UTC)
-**Push-triggered scans** on master branch
-**SARIF integration** with GitHub Security tab
-**Automated vulnerability detection** for dependencies
**Workflow file**: `.github/workflows/osv-scanner-scheduled.yml`
```yaml
name: OSV-Scanner Scheduled Scan
on:
schedule:
- cron: '0 2 * * *' # Daily at 02:00 UTC (03:00 CET)
push:
branches: [master]
``` ```
**Benefits**:
- Comprehensive vulnerability database coverage
- Automated daily security scanning
- Integration with GitHub Security tab
- No configuration required - works out of the box
**Socket Security - FREE for open source**: **Socket Security - FREE for open source**:
```yaml ```yaml
@@ -384,10 +405,10 @@ sbom-build:
**J. Cost-Free Implementation Priority**: **J. Cost-Free Implementation Priority**:
1. **Week 1**: ✅ **SBOM generation already implemented** with Microsoft SBOM Tool in ci.yaml 1. **Week 1**: ✅ **SBOM generation already implemented** with Microsoft SBOM Tool in ci.yaml
2. **Week 2**: Implement lockfile validation and audit-ci 2. **Week 2**: **License checking already implemented** with license-checker-rseidelsohn
3. **Week 3**: Add license checking with license-checker 3. **Week 3**: **OSV-scanner already implemented** with daily scheduled scans
4. **Week 4**: Enhance existing SBOM workflow with additional validation 4. **Week 4**: Implement lockfile validation and audit-ci
5. **Week 5**: Add OSV Scanner integration 5. **Week 5**: Enhance existing SBOM workflow with additional validation
**Benefits**: **Benefits**: