t.behrendt/sec-workflows
1
0
Fork 0
Code Issues 2 Pull Requests 4 Actions Releases Activity
Files
refactor-to-osv-scanner
sec-workflows/README.md
Timo Behrendt 276e99b893 sync
2026-03-25 18:54:57 +01:00

4.4 KiB
Raw Permalink Blame History

Sec Workflows

Run Sec Scan (reusable workflow)

Reusable workflow that restores the OSV-Scanner offline vulnerability database via setup-osv-db, runs osv-scanner scan source with --offline-vulnerabilities, and publishes a single SARIF artifact. It does not upload to TAS; callers download the artifact and use it (e.g. with tas-upload-sarif).

Scanning uses Google OSV data (not Trivy). The scanner runs only inside Docker with no container network, a read-only root filesystem (plus a small tmpfs for /tmp), all capabilities dropped, and no-new-privileges. The workspace and the local OSV DB are bind-mounted read-only; SARIF is written to a dedicated host directory mounted read-write at /out in the container.

Workflow file: .gitea/workflows/run-sec-scan.yaml

Offline DB (setup-osv-db)

The workflow uses the setup-osv-db action from the sec-actions repository (replacing the former trivy-actions / setup-trivy flow). That action prepares OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY for use with --offline-vulnerabilities (see OSV-Scanner offline mode).

Usage

Call from another workflow (same repo)

jobs:
  sec:
    uses: ./.gitea/workflows/run-sec-scan.yaml
    with:
      ecosystems: PyPI,npm,Go
      cache-bucket-hours: 6
  use-sarif:
    needs: sec
    runs-on: ubuntu-latest
    steps:
      - name: Download SARIF
        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
        with:
          name: ${{ needs.sec.outputs.merged-sarif-artifact }}
          path: sarif
      # Path to file: sarif/${{ needs.sec.outputs.merged-sarif-path }}
      # - uses: .../tas-upload-sarif@...
      #   with:
      #     sarif-file: sarif/${{ needs.sec.outputs.merged-sarif-path }}

Call from another repository

Use the full workflow path including .gitea/workflows/ and the filename. Gitea does not accept a bare repo path like .../sec-actions/run-sec-scan@ref.

With absolute URL:

jobs:
  sec:
    uses: https://gitea.t000-n.de/t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0
    with:
      ecosystems: github-actions,npm,go,Alpine

With owner/repo path (same server as the caller):

jobs:
  sec:
    uses: t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0
    with:
      ecosystems: github-actions,npm,go,docker

Pin the same tag or commit in uses: that you intend to run. Reusable actions referenced inside this workflow (for example sec-actions/setup-osv-db) are pinned in the workflow file; update that repo reference when you release new sec-actions versions.

Inputs

Input Type Default Description
ecosystems string github-actions,npm,go,docker Passed to setup-osv-db (docker maps to Linux in that action).
cache-bucket-hours number 24 Passed to setup-osv-db for actions/cache key bucketing.
osv-scanner-image string ghcr.io/google/osv-scanner:latest Image for the hardened docker run (offline scan; no network in run). Pin a digest or tag for reproducibility.

Outputs

Output Description
merged-sarif-artifact Artifact name to pass to download-artifact (e.g. merged-sarif).
merged-sarif-path Path to the file inside that artifact (e.g. merged-sarif.json).

After downloading the artifact, the SARIF file is at <download-path>/${{ needs.<job>.outputs.merged-sarif-path }}.

Migration from Trivy

Earlier revisions used Trivy (setup-trivy, setup-db from trivy-actions) for config, filesystem, and image scans. This workflow now targets OSV-Scanner source scans with an offline OSV database only. Replacing IaC or container-image vulnerability semantics may require additional tooling outside this repository.

Reference in New Issue View Git Blame Copy Permalink