fixed uses: google/osv-scanner-action@v2.3.1 again #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: ["main"] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| actions: read # Recommended/required for SARIF upload in OSV reusable workflows | |
| security-events: write # Required for SARIF uploads to GitHub Security | |
| jobs: | |
| gitleaks: | |
| name: Secret scan (Gitleaks) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Scan full git history for secrets | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| semgrep: | |
| name: SAST (Semgrep CE) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Semgrep | |
| uses: returntocorp/semgrep-action@v1 | |
| with: | |
| config: >- | |
| p/security-audit | |
| p/owasp-top-ten | |
| generateSarif: "1" | |
| - name: Upload SARIF to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: semgrep.sarif | |
| # IMPORTANT: OSV is invoked as a reusable workflow (job-level "uses"), not a step. | |
| osv-scanner: | |
| name: Dependency vulns (OSV-Scanner) | |
| uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 | |
| with: | |
| # OSV's reusable workflow sets SARIF output itself; do not override --format/--output here. | |
| scan-args: |- | |
| --recursive | |
| ./ | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write |