# Sec Workflows ## Run Sec Scan (reusable workflow) Reusable workflow that restores the [OSV-Scanner](https://google.github.io/osv-scanner/) offline vulnerability database via **`setup-osv-db`**, runs **`osv-scanner scan source`** with **`--offline-vulnerabilities`**, and publishes a single SARIF artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`). Scanning uses [Google OSV](https://osv.dev/) data (not Trivy). The scanner runs **only** inside Docker with **no container network**, a **read-only** root filesystem (plus a small **`tmpfs`** for `/tmp`), **all capabilities dropped**, and **`no-new-privileges`**. The workspace and the local OSV DB are bind-mounted **read-only**; SARIF is written to a dedicated host directory mounted read-write at `/out` in the container. **Workflow file:** [.gitea/workflows/run-sec-scan.yaml](.gitea/workflows/run-sec-scan.yaml) ### Offline DB (`setup-osv-db`) The workflow uses the **`setup-osv-db`** action from the **`sec-actions`** repository (replacing the former `trivy-actions` / `setup-trivy` flow). That action prepares `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` for use with `--offline-vulnerabilities` (see [OSV-Scanner offline mode](https://google.github.io/osv-scanner/usage/offline-mode/)). ## Usage ### Call from another workflow (same repo) ```yaml jobs: sec: uses: ./.gitea/workflows/run-sec-scan.yaml with: ecosystems: PyPI,npm,Go cache-bucket-hours: 6 use-sarif: needs: sec runs-on: ubuntu-latest steps: - name: Download SARIF uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 with: name: ${{ needs.sec.outputs.merged-sarif-artifact }} path: sarif # Path to file: sarif/${{ needs.sec.outputs.merged-sarif-path }} # - uses: .../tas-upload-sarif@... # with: # sarif-file: sarif/${{ needs.sec.outputs.merged-sarif-path }} ``` ### Call from another repository Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../sec-actions/run-sec-scan@ref`. **With absolute URL:** ```yaml jobs: sec: uses: https://gitea.t000-n.de/t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0 with: ecosystems: github-actions,npm,go,Alpine ``` **With owner/repo path** (same server as the caller): ```yaml jobs: sec: uses: t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0 with: ecosystems: github-actions,npm,go,docker ``` Pin the same tag or commit in `uses:` that you intend to run. Reusable actions referenced **inside** this workflow (for example `sec-actions/setup-osv-db`) are pinned in the workflow file; update that repo reference when you release new **sec-actions** versions. ### Inputs | Input | Type | Default | Description | | --------------------- | ------ | ----------------------------------- | --------------------------------------------------------------------------- | | `ecosystems` | string | `github-actions,npm,go,docker` | Passed to **`setup-osv-db`** (`docker` maps to **Linux** in that action). | | `cache-bucket-hours` | number | `24` | Passed to **`setup-osv-db`** for `actions/cache` key bucketing. | | `osv-scanner-image` | string | `ghcr.io/google/osv-scanner:latest` | Image for the hardened **`docker run`** (offline scan; no network in run). Pin a digest or tag for reproducibility. | ### Outputs | Output | Description | | ----------------------- | ------------------------------------------------------------------- | | `merged-sarif-artifact` | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). | | `merged-sarif-path` | Path to the file inside that artifact (e.g. `merged-sarif.json`). | After downloading the artifact, the SARIF file is at `/${{ needs..outputs.merged-sarif-path }}`. ## Migration from Trivy Earlier revisions used **Trivy** (`setup-trivy`, `setup-db` from **trivy-actions**) for config, filesystem, and image scans. This workflow now targets **OSV-Scanner** source scans with an **offline OSV database** only. Replacing IaC or container-image vulnerability semantics may require additional tooling outside this repository.