Add OSV job

anynines · Dec 4, 2024 · 6242bfc · 6242bfc
1 parent 379471b
commit 6242bfc
Showing 1 changed file with 28 additions and 14 deletions.
diff --git a/.github/workflows/github-security-checks.yml b/.github/workflows/github-security-checks.yml
@@ -1,6 +1,10 @@
 name: SAST Scan
 run-name: Push from ${{ github.actor }} initiated a Security Scan 🚀
-on: [push]
+on:
+  push:
+    branches:
+      - '*'
+      - '!master'
 permissions:
   contents: write
 jobs:
@@ -10,11 +14,6 @@ jobs:
     steps:
       - name: Checkout repo inside CI runner
         uses: actions/checkout@v4
-      # - name: Bearer-SAST Installation
-      #   working-directory: ./ci/actions
-      #   run: | 
-      #     chmod +x install-bearer.sh
-      #     ./install-bearer.sh
       - name: Setup results file
         run: |
           mkdir -p scan_results
@@ -29,11 +28,26 @@ jobs:
           author_name: scanner-bot
           author_email: [email protected]
           message: '[bot] Add SAST scan results'
-
-
-#TODO 
-#1. Generate JSON report and store in repo
-#2. Ensure bearer does not exit with -1
-#2. Create docker image with pre-installed Bearer and OSV tools
-#3. Add a step to run the OSV scanner
-#4. 
+          pull: '--rebase --autostash'
+  cve-scan:
+    runs-on: ubuntu-latest
+    container: avarteqgmbh/bearer-osv-scan
+    steps:
+      - name: Checkout repo inside CI runner
+        uses: actions/checkout@v4
+      - name: Setup results file
+        run: |
+          mkdir -p scan_results
+          touch ./scan_results/osv.out.json 
+          git config --global --add safe.directory '*'
+      - name: SAST Scan
+        working-directory: .
+        run: osv-scanner --json --output ./scan_results/osv.out.json -r . 
+        continue-on-error: true
+      - name: Commit changes
+        uses: EndBug/add-and-commit@v9
+        with: 
+          author_name: scanner-bot
+          author_email: [email protected]
+          message: '[bot] Add SAST scan results'
+          pull: '--rebase --autostash'