Skip to content

ci: add OSV-Scanner scheduled CVE scanning workflow#69

Merged
CGFixIT merged 1 commit into
mainfrom
claude/cve-scanners-m89gdl
Jun 20, 2026
Merged

ci: add OSV-Scanner scheduled CVE scanning workflow#69
CGFixIT merged 1 commit into
mainfrom
claude/cve-scanners-m89gdl

Conversation

@CGFixIT

@CGFixIT CGFixIT commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

Rebased onto current main (da4cbd4). The pip-audit.yml this PR originally added already exists on main (from PRs #71/#72, in a superior form with SHA-pinned actions, ubuntu+windows matrix, and --ignore-vuln CVE-2026-45829). That half was dropped during rebase conflict resolution.

What remains — the one genuinely net-new file:

osv-scanner.yml

Adds Google's OSV-Scanner as a scheduled + PR-gated CVE workflow, complementing the existing pip-audit.yml on main. OSV-Scanner covers all dependency ecosystems vs the OSV.dev database and uploads native SARIF to the Security → Code scanning tab.

Trigger Job Behavior
pull_request scan-pr Differential — flags vulns introduced by the PR
schedule / push main / workflow_dispatch scan-scheduled Full scan, SARIF → Security tab
  • Routing via if: github.event_name == ... → exactly one job runs per event; the other is skipped (neutral).
  • Per-job permissions: minimum required — security-events: write, contents: read, actions: read.
  • scan-args: -r ./ → recurse from repo root so every manifest/lockfile is covered.
  • SHA-pinned: google/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 (v2.3.8), verified via git ls-remote.

Why CI was red before rebase:

  • invariants-gate: Old pyproject.toml TOML bug ([[tool.uv.sources]]) — fixed in da4cbd4 on main, resolved by rebase.
  • ubuntu/windows coverage: Branch had old test state (54 tests / 56% coverage) — resolved by rebase to current main (119 tests).
  • pip-audit true positive: Old pip-audit.yml without --ignore-vuln — resolved by rebase (main's version now applies).

Net diff on current main: osv-scanner.yml only — 53 insertions. No runtime, topology, or invariant changes. No secrets required.

Note: Can be merged before or after PR #73 (constraints.txt header) — no overlap between the two.

@github-advanced-security

github-advanced-security AI commented Jun 20, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@CGFixIT CGFixIT force-pushed the claude/cve-scanners-m89gdl branch from 16d2fe0 to b8871c8 Compare June 20, 2026 06:44
@CGFixIT CGFixIT changed the title ci: add OSV-Scanner and pip-audit scheduled CVE scanning ci: add OSV-Scanner scheduled CVE scanning workflow Jun 20, 2026
@CGFixIT CGFixIT marked this pull request as ready for review June 20, 2026 06:47
@CGFixIT CGFixIT merged commit c2bdd07 into main Jun 20, 2026
17 checks passed
@CGFixIT CGFixIT deleted the claude/cve-scanners-m89gdl branch June 20, 2026 06:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CGFixIT @github-advanced-security @claude