Skip to content

Add OSV scanner #7768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mhucka wants to merge 5 commits into from
Closed

Add OSV scanner #7768

mhucka wants to merge 5 commits into from

Conversation

@mhucka
Copy link
Contributor

@mhucka mhucka commented Nov 23, 2025
edited
Loading

This is almost identical to the latest version of this scanner used in the qsim repository.

@mhucka
Update Scorecard scanner and rename file
320b332 
This is almost identical to the latest version used in the qsim
repository. It has a minor improvement in using an `ubuntu-slim` runner
for the summary-writing job and also respecting the `runner.debug`
variable.
@mhucka
Update OSV scanner workflow
6663655 
This is almost identical to the latest version used in the qsim
repository. It has a minor improvement in respecting the `runner.debug`
variable.
@mhucka mhucka requested review from a team and vtomole as code owners November 23, 2025 00:31
@github-actions github-actions bot added the size: L 250< lines changed <1000 label Nov 23, 2025
@github-advanced-security
Copy link

github-advanced-security bot commented Nov 23, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@codecov
Copy link

codecov bot commented Nov 23, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.57%. Comparing base (c6c0eff) to head (9a91b4a).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7768      +/-   ##
==========================================
- Coverage   99.57%   99.57%   -0.01%     
==========================================
  Files        1102     1102              
  Lines       98425    98425              
==========================================
- Hits        98006    98005       -1     
- Misses        419      420       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mhucka mhucka added the area/ci label Nov 23, 2025
@mhucka mhucka requested a review from pavoljuhas November 23, 2025 03:47
@mhucka mhucka mentioned this pull request Nov 24, 2025
Merged
pavoljuhas
pavoljuhas reviewed Nov 27, 2025
View reviewed changes
pavoljuhas
pavoljuhas requested changes Nov 27, 2025
View reviewed changes
Copy link
Collaborator

@pavoljuhas pavoljuhas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let us run these as scheduled scans to save on resources and avoid user confusion.

Also please move the introduction of osv-scan to its own PR.

.github/workflows/osv-scanner.yaml
@@ -0,0 +1,145 @@
# Copyright 2025 Google LLC
Copy link
Collaborator

@pavoljuhas pavoljuhas Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please move this to a separate PR?

Also, let us try to keep this as simple and as close as possible to the example workflows at https://github.com/google/osv-scanner. Running this on schedule should be sufficient; again, we do not need to create noise in CI-checks for our contributors. (we have no large scale continuous deployment of Cirq so it is not that critical to catch vulnerabilities on the spot. Also the only kind of PRs that can introduce them are changes Python dependencies or GHA workflows)

Copy link
Contributor Author

@mhucka mhucka Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved the Scorecard changes to another PR (#7776)

@mhucka
Restore existing scorecard workflow
2adf8ab 
The changes are being done in another PR:
quantumlib#7776
@github-actions github-actions bot added size: M 50< lines changed <250 and removed size: L 250< lines changed <1000 labels Nov 28, 2025
@mhucka mhucka changed the title Update Scorecard scanner and add OSV scanner Add OSV scanner Nov 28, 2025
@mhucka mhucka marked this pull request as draft November 28, 2025 05:18
@mhucka
Copy link
Contributor Author

mhucka commented Dec 1, 2025

In the process of checking more closely what OSV does, I discovered that Dependabot uses the same database. Thus, it turns out that adding OSV as a separate scanner is not necessary!

@mhucka mhucka closed this Dec 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pavoljuhas pavoljuhas pavoljuhas requested changes

@vtomole vtomole Awaiting requested review from vtomole vtomole is a code owner

@95-martin-orion 95-martin-orion Awaiting requested review from 95-martin-orion 95-martin-orion is a code owner automatically assigned from quantumlib/cirq-maintainers

Assignees

No one assigned

Labels

area/ci size: M 50< lines changed <250

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mhucka @pavoljuhas