Skip to content

ci(actions): bump ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml from c22009ccaab0d3234819d30d9d7a03d53c531cb9 to e070932adbacf11d72cf6fab5962c9398621104c#37

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/ByronWilliamsCPA/dot-github/dot-github/workflows/python-security-analysis.yml-e070932adbacf11d72cf6fab5962c9398621104c
Open

ci(actions): bump ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml from c22009ccaab0d3234819d30d9d7a03d53c531cb9 to e070932adbacf11d72cf6fab5962c9398621104c#37
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/ByronWilliamsCPA/dot-github/dot-github/workflows/python-security-analysis.yml-e070932adbacf11d72cf6fab5962c9398621104c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Copy link
Copy Markdown
Contributor

Bumps ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml from c22009ccaab0d3234819d30d9d7a03d53c531cb9 to e070932adbacf11d72cf6fab5962c9398621104c.

Changelog

Sourced from ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml's changelog.

Changelog

All notable changes to this project's shared workflow templates are documented here.

The format follows Keep a Changelog.

This project uses date-based version headers (e.g. [2025-01-07]) rather than semver because it is a shared workflow library with continuous deployment; there are no numbered releases.

[Unreleased]

Added

  • python-sbom.yml: OSV-Scanner runs alongside Trivy and Grype as a third SBOM-ingest sibling job (scan-runtime-osv) for fast keyless CVE coverage per issue #152 follow-up. Adds new optional input run-osv (default true) that lets callers opt out. The job ingests the same sbom-runtime.json artifact that Trivy and Grype use, so no second resolver pass occurs. SARIF is uploaded under category osv-sbom-runtime-deps, surfacing alongside Trivy and Grype categories on the Security > Code scanning tab. Reuses the OSV-Scanner action SHA already pinned in python-security-analysis.yml (no new third-party surface). Gating mirrors Trivy: when fail-on-vulnerabilities: true (the default), an OSV finding fails the workflow. Caller surface is backwards-compatible; one new check entry appears in PR Checks UI for repos that keep the default.

  • sbom-nightly.yml: org-level nightly workflow that calls python-sbom.yml on a daily 02:17 UTC schedule plus workflow_dispatch. Skips cleanly in .github (no pyproject.toml); serves as the reference pattern for downstream repos that want nightly CVE database coverage between PR builds. Documents the schedule-trigger snippet downstream repos can paste into their own python-sbom.yml caller workflows so vulnerabilities disclosed after the last PR build are caught within 24 hours.

  • python-sbom.yml: Grype scanning runs alongside Trivy as a non-gating sibling job (scan-runtime-grype) for a 30-day parity window per issue #152. Adds new optional input grype-config-path (default .grype.yaml) and a parity-summary job that downloads both scanners' SARIF artifacts and writes a CVE-level set-diff (findings detected by both, by Trivy only, by Grype only) to the run summary. Trivy remains the gating scanner during parallel-run; the Grype job is non-gating via continue-on-error: true at the job level so genuine action failures still surface as a failed step in the logs while the workflow caller never blocks on Grype. The caller-supplied grype-config-path is validated against path-traversal (..) and absolute-path patterns before it reaches actions/checkout sparse-checkout or anchore/scan-action. Scanner SARIF is also uploaded as a workflow artifact (trivy-sarif, grype-sarif, 7-day retention) so the parity comparison can run on the actual finding sets rather than on job results alone. Caller surface is backwards-compatible; two new check entries appear in PR Checks UI. The trivyignore-path input is marked deprecation-pending for removal at the

... (truncated)

Commits
  • e070932 fix(sbom): rename SBOM to .cdx.json for osv-scanner v2.3.8 compatibility
  • 74c633a fix(release): apply PSR v10.5.3 bug mitigations to reusable workflow (#184)
  • e75a86b fix(release-tag): drop floating major tag to satisfy tag-protection ruleset (...
  • e72886a fix(python-ci): include hidden files in coverage-artifact upload (#181)
  • d3bc5c8 fix(scorecard): remove self-scorecard job that fails publish verification (#180)
  • d7a5f16 feat(python-sbom): add OSV-Scanner SBOM-ingest gate + nightly schedule (#152)...
  • 3065983 docs(security-analysis): document OSV-Scanner as merge_group dependency-CVE c...
  • 4eedf13 feat(scripts): SHA-pin tooling Suggested-tier follow-up (#176 review) (#177)
  • 20d63e1 fix(scripts): SHA-pin tooling robustness follow-up (#175 review) (#176)
  • f2f1909 fix(python-performance-regression): detect repo state instead of hardcoding u...
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot @github

dependabot Bot commented on behalf of github May 29, 2026

Copy link
Copy Markdown
Contributor Author

Assignees

The following users could not be added as assignees: ByronWilliamsCPA. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml e070932adbacf11d72cf6fab5962c9398621104c UnknownUnknown

Scanned Files

  • .github/workflows/security-analysis.yml

…ecurity-analysis.yml

Bumps [ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml](https://github.com/byronwilliamscpa/.github) from c22009ccaab0d3234819d30d9d7a03d53c531cb9 to e070932adbacf11d72cf6fab5962c9398621104c.
- [Changelog](https://github.com/ByronWilliamsCPA/.github/blob/main/CHANGELOG.md)
- [Commits](ByronWilliamsCPA/.github@c22009c...e070932)

---
updated-dependencies:
- dependency-name: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml
  dependency-version: e070932adbacf11d72cf6fab5962c9398621104c
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/ByronWilliamsCPA/dot-github/dot-github/workflows/python-security-analysis.yml-e070932adbacf11d72cf6fab5962c9398621104c branch from c8981e9 to 719e8bf Compare May 29, 2026 04:14
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants