iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🎁

Using OSV-Scanner via GitHub Actions

に公開
Go
GitHub Actions
Security
tech

OSV-Scanner is a tool that checks for known vulnerabilities in dependencies. It uses Google's OSV (Open Source Vulnerabilities) database to analyze project dependencies and identify relevant vulnerabilities.

https://google.github.io/osv-scanner/

Since scan results can be uploaded as SARIF in GitHub Actions, they can be viewed in GitHub's Security tab (Code scanning). It's great that this is available for free.

In this article, I will set up a mechanism to check if packages with known vulnerabilities are being used by adding the OSV-Scanner GitHub Action to a repository. Since it supports a wide range of languages, it should be applicable in most cases.

https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#supported-lockfilesmanifests

Copy and Paste from the Official Documentation

Since OSV-Scanner's GitHub Action provides reusable workflows, you basically just call it using uses:. The official documentation describes two types: "for PRs" and "for scheduled execution."

https://google.github.io/osv-scanner/github-action/

However, some settings are outdated and there are a few subtle traps, so I recommend copying and pasting while reviewing the configuration carefully (PR already submitted).

Place osv-scanner.toml in the Same Directory as go.mod

When used with Go, it determines the version based on what's specified in go.mod and performs a vulnerability check. Since go.mod often specifies older versions for compatibility reasons, this can be problematic.

You can change this using osv-scanner.toml (I suspect this might be undocumented).

osv-scanner.toml
GoVersionOverride = "1.25.5"

In a Go project, the configuration doesn't seem to apply unless osv-scanner.toml is placed in the same directory as go.mod.

If there are multiple go.mod files, you can explicitly specify it with --config=/path/to/config.toml. Using --config seems to ignore all osv-scanner.toml files in every directory and applies that configuration to all files (probably).

Since you can pass command arguments via scan-args, I was able to configure it by overriding them.

    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1"
    with:
      scan-args: |-
        -r
        ./
        --config=osv-scanner.toml

Conclusion

The great thing about OSV-Scanner is that it supports many different languages, not just Go. Since you can scan across repositories using the same mechanism, it is well worth the effort to integrate it and start running scans.

On the other hand, even within the scope of this project, I found several "undocumented specifications" and "outdated parts," which was a bit disappointing. I hope to contribute, even in a small way, by creating PRs and issues on GitHub myself.

Since it is a very useful OSS tool, I hope to see more examples of its practical application.

Discussion