chore: Added osv-scanner workflow

christian-kreuzberger-dtx · christian-kreuzberger-dtx · commit f7e303570e8a · 2025-10-16T10:30:38.000+02:00
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,65 @@
+name: OSV Scanner
+
+# Scans the repository for vulnerable dependencies using Google's OSV Scanner
+# Docs: https://google.github.io/osv-scanner/github-action/
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 3 * * 1' # Every Monday at 03:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write # for uploading SARIF results
+
+jobs:
+  osv-scanner:
+    name: Run OSV Scanner
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Set up Node.js (uses .nvmrc for version consistency)
+        uses: actions/setup-node@v5
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'npm'
+
+      - name: Install dependencies (without running build)
+        run: npm ci --ignore-scripts
+
+      - name: Run OSV Scanner
+        id: osv
+        uses: google/osv-scanner-action@v1
+        with:
+          scan-args: >-
+            --recursive
+            --json=results.json
+            .
+
+      - name: Convert JSON results to SARIF
+        if: always()
+        run: |
+          npx --yes osv-to-sarif results.json > results.sarif || echo '{"version":"2.1.0","runs":[]}' > results.sarif
+        continue-on-error: true
+
+      - name: Upload SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+        continue-on-error: true
+
+      - name: Upload artifact (raw JSON)
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: osv-scanner-results
+          path: |
+            results.json
+            results.sarif
