Adding OSV-Scanner to GitHub Actions
Scan your lockfiles against the open OSV database with Google OSV-Scanner.
OSV-Scanner checks your lockfiles against OSV.dev, the open vulnerability database aggregating advisories across ecosystems. Google publishes a reusable workflow that handles SARIF upload, so wiring it up is mostly a one-liner referencing that workflow.
What you need
- Supported lockfiles (package-lock.json, poetry.lock, go.mod, Cargo.lock, etc.).
- The google/osv-scanner-action reusable workflow.
- security-events: write to upload SARIF.
The workflow
Call the reusable PR-scan workflow.
.github/workflows/osv.yml
jobs:
scan:
uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2
with:
scan-args: |-
--recursive
./
permissions:
security-events: write
contents: readCommon gotchas
- It scans lockfiles, so a manifest without a committed lockfile yields nothing.
- --recursive is needed for monorepos with nested lockfiles.
- Findings can include transitive-only CVEs you cannot fix directly - triage before failing builds.
Key takeaways
- OSV-Scanner checks lockfiles against the open OSV.dev database.
- Use the google/osv-scanner-action reusable workflow for SARIF.
- Commit lockfiles and use --recursive for monorepos.
Related guides
Adding Snyk to GitHub ActionsScan dependencies for vulnerabilities with Snyk in GitHub Actions, set a severity threshold, and upload SARIF…
Running npm audit in GitHub ActionsGate your Node CI on npm audit in GitHub Actions: choose an audit level, handle transitive noise, and avoid f…
Running pip-audit in GitHub ActionsAudit Python dependencies for vulnerabilities with pip-audit in GitHub Actions, scan requirements or the envi…