Bump google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml from 1.9.2 to 2.3.5

[dependabot]

Bumps google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml from 1.9.2 to 2.3.5.

Release notes

Sourced from google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml's releases.

v2.3.5

This updates OSV-Scanner to v2.3.5.

What's Changed

• Update to v2.3.5 by @​tobyhawker in google/osv-scanner-action#124

New Contributors

• @​tobyhawker made their first contribution in google/osv-scanner-action#124

Full Changelog: google/osv-scanner-action@v2.3.3...v2.3.5

v2.3.3

This updates OSV-Scanner to v2.3.3.

What's Changed

• chore(deps): update github/codeql-action action to v4.31.10 by @​renovate-bot in google/osv-scanner-action#115
• Update to v2.3.3 by @​Ly-Joey in google/osv-scanner-action#118

New Contributors

• @​Ly-Joey made their first contribution in google/osv-scanner-action#118

Full Changelog: google/osv-scanner-action@v2.3.2...v2.3.3

v2.3.2

This updates OSV-Scanner to v2.3.2

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

• [Bug #2415](google/osv-scanner#2415) Add more PURL-to-ecosystem mappings
• [Bug #2422](google/osv-scanner#2422) MCP error for get_vulnerability_id because type definition is incorrect.
• [Bug #2460](google/osv-scanner#2460) Enable osv-scanner.json git queries
• [Bug #2456](google/osv-scanner#2456) Properly track if an ignore entry has been used
• [Bug #2450](google/osv-scanner#2450) Performance: Avoid loading the entire advisory unless it will actually be used
• [Bug #2445](google/osv-scanner#2445) Performance: Don't read the entire zip into memory
• [Bug #2433](google/osv-scanner#2433) Allow specifying user agent in v2 osvscanner package

Misc:

• [Misc #2453](google/osv-scanner#2453) Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3
• [Misc #2447](google/osv-scanner#2447) Include bun.lock as a supported lockfile
• [Misc #2444](google/osv-scanner#2444) Document GoVersionOverride in configuration.md

Full Changelog: google/osv-scanner@v2.3.1...v2.3.2

v2.3.1

What's Changed

• chore(deps): update workflows (major) by @​renovate-bot in google/osv-scanner-action#105
• chore(deps): update github/codeql-action action to v4.31.7 by @​renovate-bot in google/osv-scanner-action#108

... (truncated)

Commits

• c518547 Merge pull request #124 from google/update-to-v2.3.5
• 1fc5ec2 Update unified workflow example to point to v2.3.5 reusable workflows
• 3d5827d Update reusable workflows to point to v2.3.5 actions
• 7222d1c "Update actions to use v2.3.5 osv-scanner image"
• a30b4c3 Merge pull request #120 from google/lsc-1771431861.8381045
• 62f47c7 Fix missing env var after the initial change
• b7ee968 Refactor Github Action per b/485167538
• c5996e0 Merge pull request #118 from google/update-to-v2.3.3
• f4fac92 Update unified workflow example to point to v2.3.3 reusable workflows
• 8ae4be8 Update reusable workflows to point to v2.3.3 actions
• Additional commits viewable in compare view

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The code analysis identified a supply chain security risk in .github/workflows/osv-scanner-pr.yml at line 19, where the reusable workflow google/osv-scanner-action is referenced using the mutable tag v2.3.5 instead of an immutable full commit SHA. Mutable tags can be silently reassigned to point to arbitrary or malicious code at any time without any visible change in the workflow file. This is particularly concerning given the security-sensitive nature of this repository. The dependency analysis found no issues. Action required: Pin the google/osv-scanner-action reference to the full immutable commit SHA corresponding to the v2.3.5 release before merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

The reusable workflow is referenced using the mutable tag v2.3.5. Tags can be reassigned at any time to point to arbitrary or malicious code. Pin this reference to the full immutable commit SHA corresponding to the intended release of google/osv-scanner-action to prevent supply chain attacks via tag mutation.

• Location: .github/workflows/osv-scanner-pr.yml:19

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 6b4b981, performed at: 2026-05-15T03:51:52Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

The reusable workflow is referenced using the mutable tag v2.3.5. Tags can be reassigned at any time to point to arbitrary or malicious code. Pin this reference to the full immutable commit SHA corresponding to the intended release of google/osv-scanner-action to prevent supply chain attacks via tag mutation.

[kusari-inspector]

Kusari PR Analysis rerun based on - 0e37901 performed at: 2026-05-15T01:58:06Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - bdfed93 performed at: 2026-05-15T02:06:08Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - bd9ca8f performed at: 2026-05-15T02:18:00Z - link to updated analysis

[kusari-inspector]

Kusari PR Analysis rerun based on - 6b4b981 performed at: 2026-05-15T03:52:09Z - link to updated analysis