Skip to content

Commit d084254

Browse files
committed
chore(infra): add dependabot.yml and OSV-Scanner weekly vulnerability monitoring
Add two security configurations: 1. dependabot.yml: enables Dependabot updates for GitHub Actions and git submodules with weekly schedule, assigned to kcenon. 2. osv-scanner.yml: adds weekly OSV-Scanner workflow to complement the existing Trivy daily scan. Scans vcpkg.json manifest against the Open Source Vulnerabilities (OSV) database. Results are uploaded to GitHub Security tab as SARIF. Part of kcenon/common_system#408
1 parent 3a4a03d commit d084254

2 files changed

Lines changed: 99 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
version: 2
2+
updates:
3+
# Enable version updates for GitHub Actions
4+
- package-ecosystem: "github-actions"
5+
directory: "/"
6+
schedule:
7+
interval: "weekly"
8+
assignees:
9+
- "kcenon"
10+
labels:
11+
- "dependencies"
12+
- "github-actions"
13+
14+
# Enable version updates for git submodules
15+
- package-ecosystem: "gitsubmodule"
16+
directory: "/"
17+
schedule:
18+
interval: "weekly"
19+
assignees:
20+
- "kcenon"
21+
labels:
22+
- "dependencies"
23+
- "submodules"

.github/workflows/osv-scanner.yml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
name: OSV Vulnerability Scan
2+
3+
on:
4+
push:
5+
branches: [ main ]
6+
paths:
7+
- 'vcpkg.json'
8+
- 'vcpkg-configuration.json'
9+
- '.github/workflows/osv-scanner.yml'
10+
pull_request:
11+
branches: [ main ]
12+
paths:
13+
- 'vcpkg.json'
14+
- 'vcpkg-configuration.json'
15+
schedule:
16+
# Run every Sunday at 3:17 AM UTC (offset from Trivy daily scan at 2 AM)
17+
- cron: '17 3 * * 0'
18+
workflow_dispatch:
19+
20+
permissions:
21+
contents: read
22+
security-events: write
23+
24+
# OSV-Scanner complements the existing Trivy scan (cve-scan.yml):
25+
# - Trivy: filesystem scan, runs daily on push/PR
26+
# - OSV-Scanner: dependency manifest scan, runs weekly + on vcpkg.json changes
27+
#
28+
# OSV-Scanner uses the Open Source Vulnerabilities (OSV) database which covers
29+
# vcpkg ecosystem packages, GitHub Advisory Database, and more.
30+
# See: https://github.com/kcenon/common_system/issues/408
31+
32+
jobs:
33+
osv-scan:
34+
name: OSV Scanner
35+
runs-on: ubuntu-latest
36+
if: github.ref != 'refs/heads/gh-pages'
37+
38+
steps:
39+
- name: Checkout code
40+
uses: actions/checkout@v4
41+
42+
- name: Run OSV-Scanner on vcpkg manifest
43+
uses: google/osv-scanner-action/osv-scanner-action@v2
44+
with:
45+
scan-args: |-
46+
--lockfile=vcpkg.json
47+
--format=sarif
48+
--output=osv-results.sarif
49+
continue-on-error: true
50+
51+
- name: Run OSV-Scanner filesystem scan (fallback)
52+
if: hashFiles('osv-results.sarif') == ''
53+
uses: google/osv-scanner-action/osv-scanner-action@v2
54+
with:
55+
scan-args: |-
56+
--recursive
57+
.
58+
--format=sarif
59+
--output=osv-results.sarif
60+
continue-on-error: true
61+
62+
- name: Upload OSV SARIF to GitHub Security
63+
uses: github/codeql-action/upload-sarif@v3
64+
if: always() && hashFiles('osv-results.sarif') != ''
65+
continue-on-error: true
66+
with:
67+
sarif_file: osv-results.sarif
68+
category: osv-scanner
69+
70+
- name: Upload OSV results artifact
71+
uses: actions/upload-artifact@v4
72+
if: always() && hashFiles('osv-results.sarif') != ''
73+
with:
74+
name: osv-scan-results-${{ github.sha }}
75+
path: osv-results.sarif
76+
retention-days: 30

0 commit comments

Comments
 (0)