Add OSV-Scanner-based security workflow#362
Open
vikrantpuppala wants to merge 1 commit into
Open
Conversation
Single workflow, single job, three triggers:
- pull_request to main: fails on CVSS >= 7 findings only
(HIGH/CRITICAL block merges; MED/LOW visible but non-blocking)
- cron weekly (Sunday 00:00 UTC): reports ALL findings via email
- workflow_dispatch: behaves like cron
Mirrors the JDBC driver's security workflow (databricks-jdbc#1460)
adapted for Go:
- Reads go.mod natively via OSV-Scanner --lockfile (no SBOM step)
- Reuses the existing ./.github/actions/setup-jfrog composite action
for the GOPROXY OIDC token dance
- Suppressions in osv-scanner.toml ([[IgnoredVulns]] schema)
The workflow is not yet wired into branch protection. Day-one runs
against current main will surface 5 HIGH findings (golang-jwt/jwt/v5,
apache/thrift, golang.org/x/crypto, golang.org/x/oauth2,
google.golang.org/protobuf) that will be cleared by a follow-up
dep-bump PR.
Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/securityScan.yml— single workflow, single job, three triggers (PR / weekly cron / manual). PR runs fail on CVSS ≥ 7 only; weekly runs report all findings and email the team.osv-scanner.toml— empty suppressions file (populate iteratively as real false positives surface)../.github/actions/setup-jfrogcomposite action — no duplicate OIDC-token logic.Mirrors the JDBC driver's workflow (databricks-jdbc#1460), adapted for Go: reads
go.modnatively via OSV-Scanner (no separate SBOM tool needed).Day-one results
The workflow is not yet wired into branch protection, so its first PR-time runs are advisory. A dry-run against current
mainsurfaces:golang-jwt/jwt/v5@5.2.1,apache/thrift@0.17.0,golang.org/x/crypto@0.31.0,golang.org/x/oauth2@0.7.0,google.golang.org/protobuf@1.28.1stdlib@1.20.99advisories — addressed by bumping the Go toolchain)All are legitimate findings, not false positives. A follow-up dep-bump PR will clear them. Once that's green, branch protection can be flipped to require this check.
Test plan
go.mod— produces expected findingsworkflow_dispatchafter merge exercises the weekly pathSMTP_USERNAME,SMTP_PASSWORD,EMAIL_RECIPIENTS) wired in repo settings before the first scheduled runThis pull request was AI-assisted by Isaac.