Integrate osv-scanner workflow#241
Conversation
rng1995
left a comment
There was a problem hiding this comment.
[Automated SkillSpector Review]
Requesting changes. The reusable OSV workflows are commit-pinned and CI is green, but shipping a repository-wide malware advisory exception is not justified. Package removal does not make a locked or vendored malicious dependency safe; remove the exception or provide narrowly scoped, evidence-backed, time-bounded handling that cannot hide a real dependency finding.
rng1995
left a comment
There was a problem hiding this comment.
[Automated SkillSpector Review]
Re-review of the osv-scanner integration (head 4061582). The PR adds .github/workflows/osv-scanner-unified-workflow.yml (commit-pinned reusable workflows from google/osv-scanner-action @ 3adb4b1, comment v2.3.8) and an osv-scanner.toml ignore for MAL-2026-6561.
Prior-issue resolution checklist
- Global suppression of
MAL-2026-6561inosv-scanner.toml(blocking, 2026-07-09): Resolved. Commit4061582addsignoreUntil = 2026-07-20, making the exception time-bounded, and the author opened issue #240 to pursue PyPI namespace transfer. Independent verification: OSV advisoryMAL-2026-6561covers only the PyPI packageskillspector— a malicious impersonation of this repository — with affected versions0.0.1–0.0.4and2.3.7–2.3.10. This repo consumesskillspectorexclusively as a local editable package (uv.lock:source = { editable = "." }), never from PyPI, so the finding is a self-name-match false positive and the expiring, single-advisory ignore cannot hide a real third-party dependency vulnerability. Non-blocking nit: thereasonfield still says "pypi has already removed it", which is not the actual justification — it should state that this repo is the legitimate upstream being impersonated and does not installskillspectorfrom PyPI.
New blockers
- The OSV-Scanner workflow does not run on the current head. Workflow run 29040163397 (
pull_request, head4061582) concludedstartup_failurewith 0 jobs. The workflow YAML is syntactically valid and bothosv-scanner-reusable.ymlandosv-scanner-reusable-pr.ymlexist at pinned SHA3adb4b1(verified via the GitHub API), so the most likely cause is the repository/organization GitHub Actions policy not permittinggoogle/osv-scanner-actionreusable workflows. As-is, merging adds a check that fails on every PR (and on pushes tomain) while providing no scanning. Please work with maintainers to allowlist the action (or inline the scan steps) and demonstrate a green OSV-Scanner run on this PR before merge.
Non-blocking notes
ignoreUntil = 2026-07-20is six days out; when it lapses,MAL-2026-6561will fail PR scans again unless the PyPI namespace issue is resolved or the entry is consciously renewed. Also notemainis now at version2.3.11, which is not in the advisory's affected versions, so after a rebase the entry may become unnecessary — worth re-checking then.- The base
CIworkflow on this head isaction_required(awaiting maintainer approval), so CI is unverified on the new commit; the commit only touchesosv-scanner.toml, so risk to the test suite is minimal.
| ./ | ||
| scan-pr: | ||
| if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} | ||
| uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@3adb4b14a2b0623876d18d863a498b785fb3752d" # v2.3.8 |
There was a problem hiding this comment.
The pull_request run of this workflow on the current head concluded startup_failure with 0 jobs (run 29040163397). The YAML is valid and both reusable workflows exist at pinned SHA 3adb4b1, so this is most likely the org/repo Actions policy not allowing google/osv-scanner-action reusable workflows. Please get the action allowlisted (or inline the scan steps) and show a green OSV-Scanner run on this PR — as written, this check will fail on every PR without performing any scan.
There was a problem hiding this comment.
this is a sample run of the pr workflow in my fork showing a green run: https://github.com/smoy/SkillSpector/actions/runs/29359037710/job/87174081468?pr=9
Can you handle the action allowlisted?
Signed-off-by: Steven Moy <github@stevenmoy.com>
4061582 to
6436442
Compare
Integrate osv-scanner github action to leverage the vulnerability scanner on every pr
This is an example if osv-scanner find something