{"id":"d9cda6ab-3620-4ed0-9843-74fd4c2c017d","task":"Integrate OSV-Scanner into a GitHub Actions CI pipeline with SARIF upload","domain":"google.github.io","steps":["Add a workflow file in .github/workflows/ that checks out the repository and installs or uses the `google/osv-scanner-action` GitHub Action","Configure the action step with `scan-args` pointing to the repository root or specific lockfile paths and set `output-file` to a SARIF filename","Set `fail-on-vuln: true` (or the equivalent input) to cause the workflow step to exit non-zero when vulnerabilities are found, blocking PR merges via required status checks","Add a subsequent step using `github/codeql-action/upload-sarif` to upload the generated SARIF file to GitHub Advanced Security for display in the repository Security tab","Configure an osv-scanner.toml at the repository root to ignore accepted/false-positive vulnerability IDs so they do not repeatedly block CI"],"gotchas":["The `google/osv-scanner-action` GitHub Action wraps the CLI but may lag a version or two behind the latest OSV-Scanner release; pin to a specific action version tag rather than `@main` for reproducibility","SARIF upload via `github/codeql-action/upload-sarif` requires that GitHub Advanced Security is enabled on the repository; it is free for public repos but requires a license for private repos","If `fail-on-vuln` blocks CI on a dependency you cannot immediately upgrade, use an osv-scanner.toml ignore entry with an expiry date and a comment explaining the accepted risk"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:37.183Z"},"url":"https://mcp.waymark.network/r/d9cda6ab-3620-4ed0-9843-74fd4c2c017d"}