Sec Workflows

Run Sec Scan (reusable workflow)

Reusable workflow that restores the OSV-Scanner offline vulnerability database via setup-osv-db, runs osv-scanner scan source with --offline-vulnerabilities, and publishes a single SARIF artifact. It does not upload to TAS; callers download the artifact and use it (e.g. with tas-upload-sarif).

Scanning uses Google OSV data (not Trivy). The scanner runs only inside Docker with no container network, a read-only root filesystem (plus a small tmpfs for /tmp), all capabilities dropped, and no-new-privileges. The workspace and the local OSV DB are bind-mounted read-only; SARIF is written to a dedicated host directory mounted read-write at /out in the container.

Workflow file: .gitea/workflows/run-sec-scan.yaml

Offline DB (`setup-osv-db`)

The workflow uses the setup-osv-db action from the sec-actions repository (replacing the former trivy-actions / setup-trivy flow). That action prepares OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY for use with --offline-vulnerabilities (see OSV-Scanner offline mode).

Usage

Call from another workflow (same repo)

jobs:
  sec:
    uses: ./.gitea/workflows/run-sec-scan.yaml
    with:
      ecosystems: PyPI,npm,Go
      cache-bucket-hours: 6
  use-sarif:
    needs: sec
    runs-on: ubuntu-latest
    steps:
      - name: Download SARIF
        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
        with:
          name: ${{ needs.sec.outputs.merged-sarif-artifact }}
          path: sarif
      # Path to file: sarif/${{ needs.sec.outputs.merged-sarif-path }}
      # - uses: .../tas-upload-sarif@...
      #   with:
      #     sarif-file: sarif/${{ needs.sec.outputs.merged-sarif-path }}

Call from another repository

Use the full workflow path including .gitea/workflows/ and the filename. Gitea does not accept a bare repo path like .../sec-actions/run-sec-scan@ref.

With absolute URL:

jobs:
  sec:
    uses: https://gitea.t000-n.de/t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0
    with:
      ecosystems: github-actions,npm,go,Alpine

With owner/repo path (same server as the caller):

jobs:
  sec:
    uses: t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0
    with:
      ecosystems: github-actions,npm,go,docker

Pin the same tag or commit in uses: that you intend to run. Reusable actions referenced inside this workflow (for example sec-actions/setup-osv-db) are pinned in the workflow file; update that repo reference when you release new sec-actions versions.

Inputs

Input	Type	Default	Description
`ecosystems`	string	`github-actions,npm,go,docker`	Passed to `setup-osv-db` (`docker` maps to Linux in that action).
`cache-bucket-hours`	number	`24`	Passed to `setup-osv-db` for `actions/cache` key bucketing.
`osv-scanner-image`	string	`ghcr.io/google/osv-scanner:latest`	Image for the hardened `docker run` (offline scan; no network in run). Pin a digest or tag for reproducibility.

Outputs

Output	Description
`merged-sarif-artifact`	Artifact name to pass to `download-artifact` (e.g. `merged-sarif`).
`merged-sarif-path`	Path to the file inside that artifact (e.g. `merged-sarif.json`).

After downloading the artifact, the SARIF file is at <download-path>/${{ needs.<job>.outputs.merged-sarif-path }}.

Migration from Trivy

Earlier revisions used Trivy (setup-trivy, setup-db from trivy-actions) for config, filesystem, and image scans. This workflow now targets OSV-Scanner source scans with an offline OSV database only. Replacing IaC or container-image vulnerability semantics may require additional tooling outside this repository.

README.md