From 86dd585b5a497e30d175c6d7a1ac6850c0b39600 Mon Sep 17 00:00:00 2001
From: Punjitha Bandara <132387971+algotyrnt@users.noreply.github.com>
Date: Wed, 18 Mar 2026 09:28:39 +0530
Subject: [PATCH 1/3] Refactor OSV-Scanner workflow for better scanning

Updated OSV-Scanner workflow to streamline scanning on push and pull request events.
---
 .github/workflows/osv-scanner.yml | 37 +++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 .github/workflows/osv-scanner.yml

diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
new file mode 100644
index 0000000..cbb8434
--- /dev/null
+++ b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,37 @@
+# A workflow which sets up OSV-Scanner scanning for vulnerabilities on PRs and pushes.
+# Designed to work alongside Dependabot for existing dependency management.
+
+name: OSV-Scanner
+
+on:
+  pull_request:
+    branches: [ "main" ]
+  merge_group:
+    branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Read commit contents
+  contents: read
+
+jobs:
+  scan-push:
+    if: ${{ github.event_name == 'push' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        ./
+  scan-pr:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        ./
+        

From f4b12d517ee522320c1b27dcdfdc43f23012938a Mon Sep 17 00:00:00 2001
From: Punjitha Bandara <132387971+algotyrnt@users.noreply.github.com>
Date: Wed, 18 Mar 2026 09:34:51 +0530
Subject: [PATCH 2/3] Update osv-scanner action versions to v2.3.3

---
 .github/workflows/osv-scanner.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index cbb8434..045f05f 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -20,7 +20,7 @@ permissions:
 jobs:
   scan-push:
     if: ${{ github.event_name == 'push' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.3"
     with:
       scan-args: |-
         -r
@@ -28,10 +28,9 @@ jobs:
         ./
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.3"
     with:
       scan-args: |-
         -r
         --skip-git
         ./
-        

From 95cba0a8e82700e123e7ffe6d9fc4e000c86661c Mon Sep 17 00:00:00 2001
From: Punjitha Bandara <132387971+algotyrnt@users.noreply.github.com>
Date: Wed, 18 Mar 2026 09:38:25 +0530
Subject: [PATCH 3/3] Update OSV-Scanner workflow permissions

---
 .github/workflows/osv-scanner.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index 045f05f..78c056d 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -16,6 +16,8 @@ permissions:
   security-events: write
   # Read commit contents
   contents: read
+  # Required by OSV-Scanner v2 to read workflow runs
+  actions: read
 
 jobs:
   scan-push: