OSV scanner github action (#698)

Creates docker image for osv scanner to allow it to run as a github
action, and the appropriate action.yml.

The current implementation is not particularly useful, only printing out
the found vulnerabilities to the logs. It should be running under this
PR.

TODO: Decide what the goal of the github action will be.

.github/workflows/osv-scanner.yml

@@ -0,0 +1,28 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: osv-scanner
+
+on: [pull_request]
+
+jobs:
+  osv-scanner:
+    name: Scan for vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: osv scan step
+        id: osv-scanning
+        uses: ./tools/osv-scanner/

tools/osv-scanner/Dockerfile

@@ -0,0 +1,38 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:alpine
+
+RUN mkdir /src
+WORKDIR /src
+
+COPY ./go.mod /src/go.mod
+COPY ./go.sum /src/go.sum
+RUN go mod download
+
+COPY ./ /src/
+RUN go build -o osv-scanner ./cmd/osv-scanner/
+
+FROM alpine:latest
+RUN apk --no-cache add \
+    ca-certificates \
+    git
+
+# Allow git to run on mounted directories
+RUN git config --global --add safe.directory '*'
+
+WORKDIR /root/
+COPY --from=0 /src/osv-scanner ./
+
+ENTRYPOINT ["/root/osv-scanner"]

tools/osv-scanner/action.yml

@@ -0,0 +1,13 @@
+name: 'osv-scanner'
+description: 'Scans your directory against the OSV database'
+inputs:
+  to-scan: 
+    description: 'Directory to scan'
+    required: true
+    default: '/github/workspace'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - '--skip-git'
+    - ${{ inputs.to-scan }}

tools/osv-scanner/cmd/osv-scanner/main.go

@@ -23,15 +23,15 @@ import (
 )
 
 // scanDir walks through the given directory to try to find any relevant files
-func scanDir(query *osv.BatchedQuery, dir string) error {
+func scanDir(query *osv.BatchedQuery, dir string, skipGit bool) error {
 	log.Printf("Scanning dir %s\n", dir)
 	return filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			log.Printf("Failed to walk %s: %v", path, err)
 			return err
 		}
 
-		if info.IsDir() && info.Name() == ".git" {
+		if !skipGit && info.IsDir() && info.Name() == ".git" {
 			gitQuery, err := scanGit(filepath.Dir(path))
 			if err != nil {
 				log.Printf("scan failed for %s: %v\n", path, err)
@@ -265,6 +265,11 @@ func main() {
 				Name:  "json",
 				Usage: "sets output to json (WIP)",
 			},
+			&cli.BoolFlag{
+				Name:  "skip-git",
+				Usage: "skip scanning git repositories",
+				Value: false,
+			},
 		},
 		ArgsUsage: "[directory1 directory2...]",
 		Action: func(context *cli.Context) error {
@@ -291,9 +296,10 @@ func main() {
 				}
 			}
 
+			skipGit := context.Bool("skip-git")
 			genericDirs := context.Args().Slice()
 			for _, dir := range genericDirs {
-				err := scanDir(&query, dir)
+				err := scanDir(&query, dir, skipGit)
 				if err != nil {
 					return err
 				}