From c8b15032f365126e61fed1e64ab79b9f4a532330 Mon Sep 17 00:00:00 2001 From: mhucka Date: Sun, 5 Oct 2025 22:01:16 +0000 Subject: [PATCH 1/3] Add OSV and Scorecard scanner workflows This adds two security scan workflows recommended by Google best practices: * [OpenSSF Scorecard](https://openssf.org/projects/scorecard/), an automated tool that assesses a number of important checks associated with software security. * [Open-Source Vulnerabilities (OSV)] scanner, dependency vulnerability scanner that identifies known vulnerabilities in a project's dependencies. The findings are reported in the repo's code-scanningresults page, https://github.com/quantumlib/chromobius/security/code-scanning/. --- .github/workflows/osv-scanner.yaml | 151 +++++++++++++++++++++++ .github/workflows/scorecard-scanner.yaml | 110 +++++++++++++++++ 2 files changed, 261 insertions(+) create mode 100644 .github/workflows/osv-scanner.yaml create mode 100644 .github/workflows/scorecard-scanner.yaml diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml new file mode 100644 index 0000000..0ff1d2d --- /dev/null +++ b/.github/workflows/osv-scanner.yaml @@ -0,0 +1,151 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: OSV scan +run-name: Run open-source vulnerabilities (OSV) scanner + +# The OSV scanner is a dependency vulnerability scanner that identifies known +# vulnerabilities in a project's dependencies. It supports C/C++, Python, Java, +# JavaScript, and others. The findings are reported in the repo's code-scanning +# results page, https://github.com/quantumlib/REPO/security/code-scanning/. +# For more OSV scanner examples and options, including how to ignore specific +# vulnerabilities, see https://google.github.io/osv-scanner/github-action/. + +on: + schedule: + # Run weekly on Saturdays. + - cron: '30 10 * * 6' + + pull_request: + types: [opened, synchronize] + branches: + - main + - master + + # Support merge queues. + merge_group: + types: + - checks_requested + + # Allow manual invocation. + workflow_dispatch: + inputs: + debug: + description: 'Run with debugging options' + type: boolean + default: true + +concurrency: + # Cancel any previously-started but still active runs on the same branch. + cancel-in-progress: true + group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} + +# Declare default workflow permissions as read only. +permissions: read-all + +jobs: + osv-scan: + if: github.repository_owner == 'quantumlib' + name: OSV scanner + runs-on: ubuntu-24.04 + timeout-minutes: 15 + permissions: + # Needed to upload the results to code-scanning dashboard: + security-events: write + env: + # Setting Bash SHELLOPTS here takes effect for all shell commands below. + SHELLOPTS: ${{inputs.debug && 'xtrace' || '' }} + steps: + - name: Check out a copy of the git repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + + - name: Check out the target branch + run: | + git checkout ${{github.base_ref || github.ref_name}} + git submodule update --recursive + + - name: Run OSV scanner on existing code + # yamllint disable rule:line-length + uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 + continue-on-error: true + with: + scan-args: |- + --include-git-root + --format=json + --output=old-results.json + --recursive + ./ + + - name: Check out current branch + # Use -f in case any changes were made by osv-scanner. + run: | + git checkout -f "$GITHUB_SHA" + git submodule update --recursive + + - name: Run OSV scanner on new code + # yamllint disable rule:line-length + uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 + continue-on-error: true + with: + scan-args: |- + --include-git-root + --format=json + --output=new-results.json + --recursive + ./ + + - name: Run the OSV scanner reporter for the job summary page + # yamllint disable rule:line-length + uses: google/osv-scanner-action/osv-reporter-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 + with: + scan-args: |- + --output=markdown:output.md + --old=old-results.json + --new=new-results.json + --fail-on-vuln=false + + - name: Write the results to the job summary page + run: cat output.md >> "$GITHUB_STEP_SUMMARY" + + - name: Run the OSV scanner reporter for the code-scanning dashboard + # yamllint disable rule:line-length + uses: google/osv-scanner-action/osv-reporter-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 + with: + scan-args: |- + --output=osv-results.sarif + --old=old-results.json + --new=new-results.json + --gh-annotations=true + --fail-on-vuln=true + + - name: Upload results to the repository's code-scanning results dashboard + id: upload_artifact + # yamllint disable rule:line-length + uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + with: + sarif_file: osv-results.sarif + + - if: github.event.inputs.debug == true + name: Upload results as artifacts to the workflow Summary page + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: osv-results.sarif + retention-days: 5 + + - name: Print an alert message if an error occurred + if: ${{always() && steps.upload_artifact.outcome == 'failure'}} + run: echo '::error::Artifact upload failed. Check the workflow logs.' diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml new file mode 100644 index 0000000..880939a --- /dev/null +++ b/.github/workflows/scorecard-scanner.yaml @@ -0,0 +1,110 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Scorecard analysis +run-name: Run Scorecard scanner for security best practices + +# Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool +# that evaluates a project's security practices. Its use is suggested by +# Google's GitHub team. Scorecard's findings are reported in a repo's scanning +# results page, https://github.com/quantumlib/REPO/security/code-scanning/. + +on: + schedule: + # Run weekly on Saturdays. + - cron: '30 9 * * 6' + + pull_request: + types: [opened, synchronize] + branches: + - main + - master + + # Support merge queues. + merge_group: + types: + - checks_requested + + # Allow manual invocation. + workflow_dispatch: + inputs: + debug: + description: 'Run with debugging options' + type: boolean + default: true + +concurrency: + # Cancel any previously-started but still active runs on the same branch. + cancel-in-progress: true + group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} + +# Declare default workflow permissions as read only. +permissions: read-all + +jobs: + run-scorecard: + if: github.repository_owner == 'quantumlib' + name: Scorecard analyzer + runs-on: ubuntu-24.04 + permissions: + security-events: write + id-token: write + timeout-minutes: 15 + steps: + - name: Check out a copy of the git repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run Scorecard analysis + # yamllint disable rule:line-length + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: + # Save the results + results_file: scorecard-results.sarif + results_format: sarif + # See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + - name: Upload results to code-scanning dashboard + # yamllint disable rule:line-length + uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + with: + sarif_file: scorecard-results.sarif + + - if: github.event.inputs.debug == true + name: Upload results as artifacts to the workflow Summary page + # yamllint disable rule:line-length + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: Scorecard SARIF file + path: scorecard-results.sarif + retention-days: 5 + + # Scorecard currently (ver. 2.4.x) doesn't allow submissions from jobs having + # steps that use "run:". To print to the summary, we need to use another job. + write-summary: + name: Scorecard results + needs: run-scorecard + runs-on: ubuntu-24.04 + timeout-minutes: 5 + steps: + - name: Write the Scorecard report page link to the workflow summary + run: | + repo="${{github.repository}}" + url="https://scorecard.dev/viewer/?uri=github.com/${repo}" + { + echo -n "The results are available on the OpenSSF Scorecard " + echo "[report page for ${{github.repository}}]($url)." + } >> "$GITHUB_STEP_SUMMARY" From b89e20e3ee366fb30ce9f5d609f61b991921d161 Mon Sep 17 00:00:00 2001 From: mhucka Date: Mon, 1 Dec 2025 16:40:01 +0000 Subject: [PATCH 2/3] Using OSV scanner not needed if using Dependabot too Dependabot queries the OSV database. --- .github/workflows/osv-scanner.yaml | 151 ----------------------------- 1 file changed, 151 deletions(-) delete mode 100644 .github/workflows/osv-scanner.yaml diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml deleted file mode 100644 index 0ff1d2d..0000000 --- a/.github/workflows/osv-scanner.yaml +++ /dev/null @@ -1,151 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: OSV scan -run-name: Run open-source vulnerabilities (OSV) scanner - -# The OSV scanner is a dependency vulnerability scanner that identifies known -# vulnerabilities in a project's dependencies. It supports C/C++, Python, Java, -# JavaScript, and others. The findings are reported in the repo's code-scanning -# results page, https://github.com/quantumlib/REPO/security/code-scanning/. -# For more OSV scanner examples and options, including how to ignore specific -# vulnerabilities, see https://google.github.io/osv-scanner/github-action/. - -on: - schedule: - # Run weekly on Saturdays. - - cron: '30 10 * * 6' - - pull_request: - types: [opened, synchronize] - branches: - - main - - master - - # Support merge queues. - merge_group: - types: - - checks_requested - - # Allow manual invocation. - workflow_dispatch: - inputs: - debug: - description: 'Run with debugging options' - type: boolean - default: true - -concurrency: - # Cancel any previously-started but still active runs on the same branch. - cancel-in-progress: true - group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} - -# Declare default workflow permissions as read only. -permissions: read-all - -jobs: - osv-scan: - if: github.repository_owner == 'quantumlib' - name: OSV scanner - runs-on: ubuntu-24.04 - timeout-minutes: 15 - permissions: - # Needed to upload the results to code-scanning dashboard: - security-events: write - env: - # Setting Bash SHELLOPTS here takes effect for all shell commands below. - SHELLOPTS: ${{inputs.debug && 'xtrace' || '' }} - steps: - - name: Check out a copy of the git repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - fetch-depth: 0 - - - name: Check out the target branch - run: | - git checkout ${{github.base_ref || github.ref_name}} - git submodule update --recursive - - - name: Run OSV scanner on existing code - # yamllint disable rule:line-length - uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 - continue-on-error: true - with: - scan-args: |- - --include-git-root - --format=json - --output=old-results.json - --recursive - ./ - - - name: Check out current branch - # Use -f in case any changes were made by osv-scanner. - run: | - git checkout -f "$GITHUB_SHA" - git submodule update --recursive - - - name: Run OSV scanner on new code - # yamllint disable rule:line-length - uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 - continue-on-error: true - with: - scan-args: |- - --include-git-root - --format=json - --output=new-results.json - --recursive - ./ - - - name: Run the OSV scanner reporter for the job summary page - # yamllint disable rule:line-length - uses: google/osv-scanner-action/osv-reporter-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 - with: - scan-args: |- - --output=markdown:output.md - --old=old-results.json - --new=new-results.json - --fail-on-vuln=false - - - name: Write the results to the job summary page - run: cat output.md >> "$GITHUB_STEP_SUMMARY" - - - name: Run the OSV scanner reporter for the code-scanning dashboard - # yamllint disable rule:line-length - uses: google/osv-scanner-action/osv-reporter-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 - with: - scan-args: |- - --output=osv-results.sarif - --old=old-results.json - --new=new-results.json - --gh-annotations=true - --fail-on-vuln=true - - - name: Upload results to the repository's code-scanning results dashboard - id: upload_artifact - # yamllint disable rule:line-length - uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 - with: - sarif_file: osv-results.sarif - - - if: github.event.inputs.debug == true - name: Upload results as artifacts to the workflow Summary page - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: SARIF file - path: osv-results.sarif - retention-days: 5 - - - name: Print an alert message if an error occurred - if: ${{always() && steps.upload_artifact.outcome == 'failure'}} - run: echo '::error::Artifact upload failed. Check the workflow logs.' From 1689b64f4befee86be9527ce04ff8304f8962504 Mon Sep 17 00:00:00 2001 From: mhucka Date: Mon, 1 Dec 2025 16:49:39 +0000 Subject: [PATCH 3/3] Update and simplify scorecard workflow --- .github/workflows/scorecard-scanner.yaml | 28 ++++-------------------- 1 file changed, 4 insertions(+), 24 deletions(-) diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml index 880939a..4a25ffc 100644 --- a/.github/workflows/scorecard-scanner.yaml +++ b/.github/workflows/scorecard-scanner.yaml @@ -29,20 +29,9 @@ on: types: [opened, synchronize] branches: - main - - master - - # Support merge queues. - merge_group: - types: - - checks_requested # Allow manual invocation. workflow_dispatch: - inputs: - debug: - description: 'Run with debugging options' - type: boolean - default: true concurrency: # Cancel any previously-started but still active runs on the same branch. @@ -63,13 +52,13 @@ jobs: timeout-minutes: 15 steps: - name: Check out a copy of the git repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - name: Run Scorecard analysis # yamllint disable rule:line-length - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: # Save the results results_file: scorecard-results.sarif @@ -79,25 +68,16 @@ jobs: - name: Upload results to code-scanning dashboard # yamllint disable rule:line-length - uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + uses: github/codeql-action/upload-sarif@ba454b8ab46733eb6145342877cd148270bb77ab # codeql-bundle-v2.23.5 with: sarif_file: scorecard-results.sarif - - if: github.event.inputs.debug == true - name: Upload results as artifacts to the workflow Summary page - # yamllint disable rule:line-length - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: Scorecard SARIF file - path: scorecard-results.sarif - retention-days: 5 - # Scorecard currently (ver. 2.4.x) doesn't allow submissions from jobs having # steps that use "run:". To print to the summary, we need to use another job. write-summary: name: Scorecard results needs: run-scorecard - runs-on: ubuntu-24.04 + runs-on: ubuntu-slim timeout-minutes: 5 steps: - name: Write the Scorecard report page link to the workflow summary