build: use osv-scanner-reusable GitHub Action

substrait-io · Jun 11, 2024 · dca622e · dca622e
1 parent 2c4dce9
commit dca622e
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 22 deletions.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -34,28 +34,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: gradle/actions/wrapper-validation@v3
-  osv-scanner:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    strategy:
-      fail-fast: false
-      matrix:
-        project:
-          - core
-          - isthmus
-          - isthmus-cli
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-      - name: Install OSV-Scanner
-        run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1
-      - name: Generate SBOM
-        run: ./gradlew :${{ matrix.project }}:cyclonedxBom
-      - name: Scan
-        run: osv-scanner scan --sbom ${{ matrix.project }}/build/reports/bom.json
+  scan:
+    uses: ./.github/workflows/vulnerability-scan.yml
   java:
     name: Build and Test Java
     runs-on: ubuntu-latest

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -0,0 +1,42 @@
+name: Security vulnerability scan
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+      - name: Generate SBOM
+        run: ./gradlew cyclonedxBom
+      - uses: actions/upload-artifact@v4
+        with:
+          name: cyclonedx-sboms
+          path: |
+            core/build/reports/bom.json
+            isthmus/build/reports/bom.json
+            isthmus-cli/build/reports/bom.json
+  scan:
+    needs: sbom
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - core
+          - isthmus
+          - isthmus-cli
+    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1
+    with:
+      download-artifact: cyclonedx-sboms
+      scan-args: |-
+        --sbom=${{ matrix.project }}/build/reports/bom.json