-
Notifications
You must be signed in to change notification settings - Fork 5
47 lines (41 loc) · 1.46 KB
/
security.yml
File metadata and controls
47 lines (41 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# This workflow will run security checks against our project
name: Security
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
jobs:
osv-scanner:
runs-on: ubuntu-latest
if: "!startsWith(github.event.head_commit.message, 'bump:')"
container:
image: ghcr.io/google/osv-scanner:v2.1.0@sha256:9a1ba57d2a1506c9e9d0dfbeaf46346507e829745b70d47d77e12c38e66de8d7
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run OSV Scanner
run: |
/osv-scanner --format table -r .
semgrep:
runs-on: ubuntu-latest
if: "!startsWith(github.event.head_commit.message, 'bump:')"
container:
image: returntocorp/semgrep:1.128.1@sha256:144d315f7354c2b2c53021a76165a500f67252c47464be75e951b67050f54a9e
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run Semgrep
run: |
semgrep scan --config auto
twyn:
runs-on: ubuntu-latest
if: "!startsWith(github.event.head_commit.message, 'bump:')"
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install uv
uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
- name: Install the project
run: uv sync --locked --extra cli
- name: Run Twyn against our dependencies
run: |
uv run twyn --version
uv run twyn run -vv