| name: Third party deps scan |
| on: |
| # Only the default branch is supported. |
| branch_protection_rule: |
| pull_request: |
| types: [ labeled ] |
| |
| # Declare default permissions as read only. |
| permissions: read-all |
| |
| jobs: |
| extract-deps: |
| name: Extract Dependencies |
| runs-on: ubuntu-20.04 |
| if: ${{ (github.repository == 'flutter/engine' && github.event_name == 'push') || github.event.label.name == 'vulnerability scan' }} |
| permissions: |
| # Needed to upload the SARIF results to code-scanning dashboard. |
| security-events: write |
| contents: read |
| steps: |
| - name: "Checkout code" |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 |
| with: |
| persist-credentials: false |
| - name: "setup python" |
| uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c |
| with: |
| python-version: '3.7.7' # install the python version needed |
| - name: "extract, flatten, and convert to osv-scanner deps" |
| run: python ci/deps_parser.py |
| - name: "evaluate git history for common ancestors" |
| run: python ci/scan_deps.py |
| - name: "upload osv-scanner deps" |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 |
| with: |
| name: converted-osv-lockfile |
| path: converted-osv-lockfile.json |
| retention-days: 2 |
| vuln-scan: |
| name: Vulnerability scanning |
| uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@main" |
| with: |
| # Download the artifact uploaded in extract-deps step |
| download-artifact: converted-osv-lockfile |
| scan-args: |- |
| --lockfile=osv-scanner:converted-osv-lockfile.json |
| fail-on-vuln: false |
| # makes sure the osv-formatted vulns are uploaded |
| needs: |
| extract-deps |
| permissions: |
| # Needed to upload the SARIF results to code-scanning dashboard. |
| security-events: write |
| contents: read |