ci(security): add osv-scanner job for OSV database coverage#518
Merged
Conversation
Adds Google's osv-scanner as a new job in security.yml. Uses the OSV database, which is independent of RustSec (covered by cargo-audit and cargo-deny) and GHSA (covered by CodeQL). Provides a third independent advisory source. Failure semantics: scanner exit code is the gate at HIGH+ severity. SARIF output uploads to GitHub Code Scanning even on scan failure (if: always()) so the Security tab tracks history. Pinned to v2.3.5 because upstream has no v2 floating tag — only patch tags exist, and upstream warns that action behavior may change in minor patch updates. Refs spec docs/superpowers/specs/2026-04-11-security-audit-followups-design.md (Topic 2)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an osv-scanner job to
.github/workflows/security.yml. Uses the OSV vulnerability database, independent from RustSec (covered by cargo-audit/deny) and GHSA (covered by CodeQL). Provides a third independent advisory source.Failure semantics
continue-on-error.if: always()so failed scans still publish to GitHub Security tab for tracking.Action versioning
Pinned to
google/osv-scanner-action@v2.3.5. Upstream has nov2floating tag — only patch tags exist, and upstream warns that action behavior may change in minor patch updates. See https://github.com/google/osv-scanner-action/releases for newer patch tags.Expected first-run outcomes
a) Zero HIGH+ vulnerabilities (job passes): ideal outcome. Topic 1 (#517) just cleared 11 of 17 devtime advisories; the remaining 3 unique CVEs are vite dev-server issues which may or may not be reachable via osv-scanner's lockfile parsing.
b) osv-scanner finds HIGH+ vulnerabilities (job fails): informative. The OSV database may flag advisories that RustSec/GHSA don't. These would be real issues to investigate in a follow-up PR — don't fix here.
c) osv-scanner can't read bun.lock (Rust-only coverage): osv-scanner's lockfile parser has historically lagged on bun. If the scan is Rust-only, that's still additive value (OSV is the third independent source for Rust advisories).
Test plan
jobslist shows: rust-audit, dependencies, bun-audit, secrets-scan, codeql, osv-scanosv-scannercategoryRefs
🤖 Generated with Claude Code