-
Notifications
You must be signed in to change notification settings - Fork 6k
56 lines (54 loc) · 1.98 KB
/
third_party_scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: Third party deps scan
on:
# Only the default branch is supported.
branch_protection_rule:
push:
branches: [ main ]
pull_request:
types: [ labeled ]
# Declare default permissions as read only.
permissions: read-all
jobs:
extract-deps:
name: Extract Dependencies
runs-on: ubuntu-20.04
if: ${{ (github.repository == 'flutter/engine' && github.event_name == 'push') || github.event.label.name == 'vulnerability scan' }}
permissions:
# Needed to upload the SARIF results to code-scanning dashboard.
security-events: write
contents: read
steps:
- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
persist-credentials: false
- name: "setup python"
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
with:
python-version: '3.7.7' # install the python version needed
- name: "extract deps, find commit hash, pass to osv-scanner"
run: python ci/scan_deps.py --output osv-lockfile-${{github.sha}}.json
- name: "upload osv-scanner deps"
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b
with:
# use github.ref in name to avoid duplicated artifacts
name: osv-lockfile-${{github.sha}}
path: osv-lockfile-${{github.sha}}.json
retention-days: 2
vuln-scan:
name: Vulnerability scanning
needs:
extract-deps
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.2"
with:
# Download the artifact uploaded in extract-deps step
download-artifact: osv-lockfile-${{github.sha}}
scan-args: |-
--lockfile=osv-scanner:osv-lockfile-${{github.sha}}.json
fail-on-vuln: false
# makes sure the osv-formatted vulns are uploaded
permissions:
# Needed to upload the SARIF results to code-scanning dashboard.
security-events: write
actions: read
contents: read