Skip to content

fix(ci): remove invalid osv-scanner flags#519

Merged
Detair merged 2 commits into
mainfrom
fix/osv-scanner-flags
Apr 11, 2026
Merged

fix(ci): remove invalid osv-scanner flags#519
Detair merged 2 commits into
mainfrom
fix/osv-scanner-flags

Conversation

@Detair

@Detair Detair commented Apr 11, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

Fixes two issues with the osv-scanner CI job added in #518:

  1. Invalid flags--skip-git and --severity=HIGH were both non-existent. First-run failed with flag provided but not defined: -skip-git.

  2. Noisy findings — after removing the invalid flags, osv-scanner found 34 advisories (mostly unmaintained-crate warnings that cargo-audit treats as warnings, not errors, plus the 3 vite CVEs already documented in PR chore(client): clear 11 devtime advisories via transitive overrides #517 as accepted dev-only exceptions).

Fix

  • Commit 1 3cf6e3e: Strip to minimal valid flags (--recursive --format=sarif --output ./).
  • Commit 2 adec7e0: Add .osv-scanner.toml ignore config with 28 entries (accepted deny.toml advisories + gtk-rs 0.18 family unmaintained warnings + vite PR chore(client): clear 11 devtime advisories via transitive overrides #517 exceptions). Pass --config=/github/workspace/.osv-scanner.toml to the scanner.

Ignore list structure (28 entries)

Category Count Notes
deny.toml already-ignored 3 rsa Marvin, rand 0.8.5, lru unmaintained
gtk-rs 0.18 family (Tauri Linux) 11 Blocked on Tauri's gtk-rs pin
Misc unmaintained crates 11 proc-macro-error, paste, instant, derivative, fxhash, unic-*, bincode
vite dev-server CVEs 3 Already documented in PR #517

Each entry has a reason field with justification.

Verification

Local run:

osv-scanner --config=.osv-scanner.toml --recursive ./
Filtered 36 vulnerabilities from output
No issues found

CI run on branch (https://github.com/Detair/kaiku/actions/runs/24293183995):

  • OSV Scanner: completed/success

Refs

🤖 Generated with Claude Code

@Detair
fix(ci): remove invalid osv-scanner flags (--skip-git, --severity)
3cf6e3e 
The osv-scan job failed on first-run with "Incorrect Usage: flag
provided but not defined: -skip-git". Both --skip-git and --severity
were incorrect guesses — osv-scanner v2.3.5 does not accept them.

Strip to minimal known-good flags: --recursive --format=sarif
--output=... ./. The scanner now gates on ANY vulnerability via
its default exit code. SARIF upload still publishes to Code
Scanning for tracking.

If the scan is too noisy post-merge, severity filtering can be
applied via GitHub's Security tab or by post-processing the SARIF.

Refs: first-run failure at https://github.com/Detair/kaiku/actions/runs/24292956710
@github-advanced-security

github-advanced-security AI commented Apr 11, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@Detair
ci(security): add .osv-scanner.toml ignore config, pass --config flag
adec7e0 
The first-run osv-scan (after flag fix) found 34 vulnerabilities — most
are already accepted via deny.toml / rust-audit ignores or via PR #517
(vite dev-server exceptions nested through vitest). osv-scanner is
stricter than cargo-audit: it flags "unmaintained" crates as errors
where cargo-audit treats them as warnings.

Create .osv-scanner.toml at repo root with an explicit ignore list:

- 3 entries already in deny.toml (rsa Marvin, rand 0.8.5, lru)
- 11 entries for the gtk-rs 0.18 family (Linux-only Tauri deps, blocked
  on Tauri's gtk-rs pin)
- 11 entries for unmaintained-crate advisories (proc-macro-error, paste,
  instant, derivative, fxhash, unic-*, bincode)
- 3 entries for the vite CVEs already documented in PR #517 as accepted
  dev-only exceptions

Also pass --config to scan-args so the scanner picks up the file.

Local verification: osv-scanner --config=.osv-scanner.toml --recursive ./
now reports "No issues found" with 36 filtered vulnerabilities.

When NEW advisories appear, osv-scanner will fail the build and we
investigate, then either fix the dep or add a new entry here.

Refs: first-run findings at https://github.com/Detair/kaiku/actions/runs/24293038310
@Detair Detair merged commit fd9a100 into main Apr 11, 2026
22 checks passed
@Detair Detair deleted the fix/osv-scanner-flags branch April 11, 2026 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Detair @github-advanced-security