Add OSV-Scanner workflows, remove redundant steps in PHP workflow (#27)

A new OSV-Scanner PR Scan and OSV-Scanner Scheduled Scan have been added in GitHub workflows for vulnerability detection. Meanwhile, some redundant steps including the setup of Go environment and osv-scanner installation in PHP workflow have been removed as these are now incorporated in the newly added workflows.
MarjovanLier · Mar 5, 2024 · c699854 · c699854
1 parent e062884
commit c699854
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 14 deletions.
diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml
@@ -0,0 +1,24 @@
+name: OSV-Scanner PR Scan
+
+# Change "main" to your default branch if you use a different name, i.e. "master"
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+    branches: [main]
+
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Only need to read contents
+  contents: read
+  actions: read
+
+jobs:
+  scan-pr:
+    uses: "google/osv-scanner-action/.github/workflows/[email protected]"
+    with:
+      upload-sarif: false
+      scan-args: |-
+        --lockfile=./composer.lock
+        --lockfile=./package.json
diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
@@ -0,0 +1,24 @@
+name: OSV-Scanner Scheduled Scan
+
+on:
+  schedule:
+    - cron: "30 12 * * 1"
+  # Change "main" to your default branch if you use a different name, i.e. "master"
+  push:
+    branches: [main]
+
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Only need to read contents
+  contents: read
+  actions: read
+
+jobs:
+  scan-scheduled:
+    uses: "google/osv-scanner-action/.github/workflows/[email protected]"
+    with:
+      upload-sarif: false
+      scan-args: |-
+        --lockfile=./composer.lock
+        --lockfile=./package.json
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -55,20 +55,6 @@ jobs:
         id: composer-install
         run: composer install --prefer-dist --no-progress --no-suggest
 
-      # This step sets up Go environment for the job.
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: "1.22"
-
-      # This step installs osv-scanner for vulnerability scanning.
-      - name: Install osv-scanner
-        run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1
-
-      # This step scans composer.lock for vulnerabilities using osv-scanner.
-      - name: Scan composer.lock for vulnerabilities
-        run: osv-scanner scan --no-ignore composer.lock
-
       # This step checks for vulnerabilities in the project dependencies.
       - name: Check for vulnerabilities
         id: vulnerabilities-check