From 75b3aa3b5c4b6c159d7a78ae183a1126ee5678cd Mon Sep 17 00:00:00 2001 From: Ilja Livenson Date: Mon, 6 Apr 2026 22:10:30 +0200 Subject: [PATCH] Add osv-scanner dependency vulnerability scanning workflow Adds a GitHub Actions workflow that scans package-lock.json for known CVEs using Google's osv-scanner. Runs on PRs, pushes to main, and weekly (Monday 06:00 UTC). Starts non-blocking (continue-on-error: true). --- .github/workflows/vulnerability-scan.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/vulnerability-scan.yml diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml new file mode 100644 index 0000000..ddf34ff --- /dev/null +++ b/.github/workflows/vulnerability-scan.yml @@ -0,0 +1,24 @@ +name: Vulnerability Scan + +on: + pull_request: + push: + branches: [main] + schedule: + - cron: '0 6 * * 1' # Weekly Monday 06:00 UTC + +permissions: + contents: read + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run osv-scanner + uses: google/osv-scanner-action/osv-scanner-action@v2 + continue-on-error: true + with: + scan-args: |- + --lockfile=package-lock.json