feat(ci): central bundled Security Scan gate (osv hard-gate + trivy + scorecard)#310
Open
seonghobae wants to merge 1 commit into
Open
feat(ci): central bundled Security Scan gate (osv hard-gate + trivy + scorecard)#310seonghobae wants to merge 1 commit into
seonghobae wants to merge 1 commit into
Conversation
… scorecard) Bundles the supply-chain/vulnerability/posture scanners into one required org workflow that gates as a unit, replacing the separate osv-scanner-pr and scorecard-pr workflows: - osv-scan: HARD, diff-scoped (fail-on-vuln: true) — blocks on NEW vulns - dependency-review: HARD, diff-scoped — blocks vulnerable/denied added deps - trivy-fs: HARD, repo-wide fixable CRITICAL/HIGH - scorecard: SOFT (continue-on-error) — posture visibility, never blocks Gating is by job result (ref-independent), not the code_scanning rule, which stays CodeQL-only to avoid the cross-tool SARIF-ref mismatch that blocked every merge org-wide. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
목적
흩어진 보안 스캐너를 **하나의 중앙 필수 워크플로
Security Scan**으로 묶고, osv를 hard gate로 만듭니다. (사용자 요청: "Hard gate로 하면서 Security scanner들과 묶어버립시다")번들 구성 (잡 단위로 게이트 = ref 독립)
osv-scanfail-on-vuln: true)dependency-reviewtrivy-fsexit-code: 1,ignore-unfixed)scorecardcontinue-on-error)왜 code_scanning 룰이 아니라 워크플로 체크로 게이트하나
default-setup CodeQL은
refs/pull/N/head,pull_request워크플로는refs/pull/N/merge에 SARIF를 올려 어떤 ref에도 모든 도구가 다 있지 않음 → code_scanning 룰에 여러 도구를 넣으면 전 PR 영구 BLOCK. 그래서 code_scanning은 CodeQL 단일 유지, 나머지는 워크플로 잡 결과로 게이트(ref 독립).후속 (이 PR 머지 후)
workflows필수 목록:osv-scanner-pr.yml+scorecard-pr.yml제거 →security-scan.yml추가osv-scanner-pr.yml·scorecard-pr.yml삭제(정리 PR)security-process.yml의 중복 Trivy 정리(선택)trivy-fs는 repo 전체 스캔이라 기존 fixable CRITICAL/HIGH가 있으면 해당 리포의 모든 PR이 그것을 고칠 때까지 막힙니다. 너무 엄격하면exit-code: "0"으로 내려 가시성 전용화 가능.🤖 Generated with Claude Code