From a74df684a1a6d4418838198aedf47ead032860a9 Mon Sep 17 00:00:00 2001 From: VictoriaBeilstenEdmands <45741274+VictoriaBeilsten-Edmands@users.noreply.github.com> Date: Thu, 28 May 2026 11:48:00 +0100 Subject: [PATCH 1/3] Add critical level to osv scanner --- .github/workflows/osv-scanner.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 081e7a15..f836b46a 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -20,7 +20,13 @@ jobs: scan-pr: if: github.event_name == 'pull_request' || github.event_name == 'merge_group' uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.2 + with: + scan-args: | + --min-severity=CRITICAL scan-scheduled: if: github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.2 + with: + scan-args: | + --min-severity=CRITICAL From 981175b6856be959c6efd37dfbc9c28fb76e0975 Mon Sep 17 00:00:00 2001 From: VictoriaBeilsten-Edmands <45741274+VictoriaBeilsten-Edmands@users.noreply.github.com> Date: Fri, 29 May 2026 09:22:17 +0100 Subject: [PATCH 2/3] Update .github/workflows/osv-scanner.yml Co-authored-by: Guilherme Francisco --- .github/workflows/osv-scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index f836b46a..3751a735 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -22,7 +22,7 @@ jobs: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.2 with: scan-args: | - --min-severity=CRITICAL + --min-severity=9 scan-scheduled: if: github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' From 76af5a9b9d0eb2d66127e19e1a623a026d30ca61 Mon Sep 17 00:00:00 2001 From: VictoriaBeilstenEdmands <45741274+VictoriaBeilsten-Edmands@users.noreply.github.com> Date: Fri, 29 May 2026 09:33:14 +0100 Subject: [PATCH 3/3] Use json format for osv scanner output --- .github/workflows/osv-scanner.yml | 44 ++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 3751a735..a9511327 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -17,16 +17,36 @@ permissions: security-events: write jobs: - scan-pr: - if: github.event_name == 'pull_request' || github.event_name == 'merge_group' - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.2 - with: - scan-args: | - --min-severity=9 + osv-scan: + runs-on: ubuntu-latest - scan-scheduled: - if: github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.2 - with: - scan-args: | - --min-severity=CRITICAL + steps: + - uses: actions/checkout@v4 + + - name: Run OSV Scanner (human-readable) + continue-on-error: true + uses: google/osv-scanner-action/osv-scanner-action@v2.3.2 + with: + scan-args: | + --lockfile=pnpm-lock.yaml + + - name: Run OSV Scanner (JSON) + continue-on-error: true + uses: google/osv-scanner-action/osv-scanner-action@v2.3.2 + with: + scan-args: | + --format=json + --output=results.json + --lockfile=pnpm-lock.yaml + + - name: Fail on CRITICAL vulnerabilities only + run: | + if jq -e ' + .results[].packages[].vulnerabilities[]? + | select((.database_specific.severity // "") == "CRITICAL") + ' results.json > /dev/null; then + echo "❌ Critical vulnerabilities found" + exit 1 + else + echo "✅ No critical vulnerabilities" + fi