From df51310e6d5caec616322fe90aaa7256354a301b Mon Sep 17 00:00:00 2001 From: Naomi Most Date: Thu, 26 Feb 2026 22:10:29 -0800 Subject: [PATCH 1/2] Add Dependabot config and OSV-Scanner workflow for vulnerability scanning --- .github/dependabot.yml | 14 +++++++++++++ .github/workflows/osv-scanner.yml | 33 +++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/osv-scanner.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..3ec9b989 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + reviewers: + - "v1r3n" + - "c4lm" + open-pull-requests-limit: 10 + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 00000000..ef3992d6 --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,33 @@ +name: OSV-Scanner Vulnerability Scan + +on: + pull_request: + branches: [main] + push: + branches: [main] + schedule: + - cron: '0 6 * * 1' # Weekly Monday 6am UTC + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + osv-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run OSV-Scanner + uses: google/osv-scanner-action/osv-scanner-action@v2 + with: + scan-args: |- + --recursive + ./ + + - name: Upload SARIF + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From e931d6b3b366c1ca2a6d0e699286caf6359a9e50 Mon Sep 17 00:00:00 2001 From: Naomi Most Date: Fri, 27 Feb 2026 01:41:23 -0800 Subject: [PATCH 2/2] Fix OSV-Scanner workflow to use reusable workflows Split into PR scan and scheduled scan workflows using the official google/osv-scanner-action reusable workflow pattern. --- .github/workflows/osv-scanner-scheduled.yml | 16 ++++++++++++ .github/workflows/osv-scanner.yml | 27 ++++----------------- 2 files changed, 21 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/osv-scanner-scheduled.yml diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml new file mode 100644 index 00000000..5bcf06d6 --- /dev/null +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -0,0 +1,16 @@ +name: OSV-Scanner Scheduled Scan + +on: + schedule: + - cron: '0 6 * * 1' # Weekly Monday 6am UTC + push: + branches: [main] + +permissions: + actions: read + contents: read + security-events: write + +jobs: + scan-scheduled: + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.3" diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index ef3992d6..5d573f05 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -1,33 +1,16 @@ -name: OSV-Scanner Vulnerability Scan +name: OSV-Scanner PR Scan on: pull_request: branches: [main] - push: + merge_group: branches: [main] - schedule: - - cron: '0 6 * * 1' # Weekly Monday 6am UTC - workflow_dispatch: permissions: + actions: read contents: read security-events: write jobs: - osv-scan: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Run OSV-Scanner - uses: google/osv-scanner-action/osv-scanner-action@v2 - with: - scan-args: |- - --recursive - ./ - - - name: Upload SARIF - if: always() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif + scan-pr: + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.3"