.github/workflows/vulnerability-scan.yml

name: Security vulnerability scan

on:
  workflow_call:

permissions:
  contents: read

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
      - name: Generate SBOM
        run: ./gradlew cyclonedxBom
      - uses: actions/upload-artifact@v4
        with:
          name: cyclonedx-sboms
          path: |
            core/build/reports/bom.json
            isthmus/build/reports/bom.json
            isthmus-cli/build/reports/bom.json
  scan:
    needs: sbom
    runs-on: ubuntu-latest
    continue-on-error: true
    permissions:
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        project:
          - core
          - isthmus
          - isthmus-cli
    steps:
      - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1
        with:
          download-artifact: cyclonedx-sboms
          scan-args: |-
            --sbom=${{ matrix.project }}/build/reports/bom.json