{"id":51384714,"url":"https://github.com/creatornader/oss-security-scan","last_synced_at":"2026-07-03T19:08:59.874Z","repository":{"id":358420655,"uuid":"1241252593","full_name":"creatornader/oss-security-scan","owner":"creatornader","description":"Reusable GitHub Actions workflow: typos + gitleaks + trufflehog + osv-scanner for public OSS repos. One uses: line.","archived":false,"fork":false,"pushed_at":"2026-05-24T12:41:00.000Z","size":57,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-24T14:19:37.861Z","etag":null,"topics":["github-actions","gitleaks","oss","osv-scanner","reusable-workflow","security","trufflehog"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/creatornader.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-17T06:32:17.000Z","updated_at":"2026-05-24T12:40:56.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/creatornader/oss-security-scan","commit_stats":null,"previous_names":["creatornader/oss-security-scan"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/creatornader/oss-security-scan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/creatornader%2Foss-security-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/creatornader%2Foss-security-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/creatornader%2Foss-security-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/creatornader%2Foss-security-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/creatornader","download_url":"https://codeload.github.com/creatornader/oss-security-scan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/creatornader%2Foss-security-scan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35097937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-03T02:00:05.635Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","gitleaks","oss","osv-scanner","reusable-workflow","security","trufflehog"],"created_at":"2026-07-03T19:08:59.316Z","updated_at":"2026-07-03T19:08:59.865Z","avatar_url":"https://github.com/creatornader.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# oss-security-scan\n\nReusable GitHub Actions workflow that runs **typos + gitleaks + trufflehog + osv-scanner** against a public OSS repo. One `uses:` line in your repo replaces ~100 lines of inline workflow.\n\nPairs with [`textleaks`](https://github.com/creatornader/textleaks) (narrative-leak detection) and [`oss-twin`](https://github.com/creatornader/oss-twin) (public/private mirror plumbing). All three are slot-fillers in the public OSS prep stack: oss-security-scan owns credentials + CVEs + spelling; textleaks owns narrative content; oss-twin owns structural separation between public + private repos.\n\n## Use\n\n```yaml\n# .github/workflows/security-scan.yml in your repo\nname: security-scan\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n  schedule:\n    - cron: '0 9 * * 0'        # Sunday 09:00 UTC: full OSV-Scanner sweep\n\npermissions:\n  contents: read\n  actions: read\n  security-events: write\n\njobs:\n  scan:\n    uses: creatornader/oss-security-scan/.github/workflows/oss-security-scan.yml@v0.1.0\n    with:\n      gitleaks-version: '8.30.1'\n      gitleaks-config: '.gitleaks.toml'\n      run-osv-scanner: ${{ github.event_name == 'schedule' }}\n```\n\nThat's it. The reusable workflow runs the four tools in parallel jobs.\n\n## Inputs\n\n| Input | Type | Default | Description |\n|---|---|---|---|\n| `gitleaks-version` | string | `8.30.1` | gitleaks version to install |\n| `gitleaks-config` | string | `.gitleaks.toml` | Path to gitleaks config (relative to repo root). If absent, gitleaks runs with built-in defaults. |\n| `typos-version` | string | `v1.46.1` | crate-ci/typos action version tag |\n| `trufflehog-extra-args` | string | `--results=verified,unknown` | Extra args for trufflehog |\n| `run-typos` | boolean | `true` | Run typos |\n| `run-gitleaks` | boolean | `true` | Run gitleaks |\n| `run-trufflehog` | boolean | `true` | Run trufflehog |\n| `run-osv-scanner` | boolean | `false` | Run OSV-Scanner (set to schedule-only for cost) |\n\n## Why direct osv-scanner install instead of `google/osv-scanner-action`\n\nThe upstream `google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.8` runs the scan inside a Docker image (`ghcr.io/google/osv-scanner-action:v2.3.8`) that bundles Go 1.26.2 with `GOTOOLCHAIN=local` hardcoded. Any caller whose `go.mod` requires a Go version newer than 1.26.2 hits a `govulncheck: loading packages: err: go: go.mod requires go \u003e= X (running go 1.26.2; GOTOOLCHAIN=local)` error and the scan fails before producing meaningful output (observed in atrib-log-pp-cli on 2026-05-24 after a dep-group bump forced `go 1.26.3`).\n\nInlining the scanner — `actions/setup-go` from the caller's `go.mod` (or `stable` when none exists), then `go install github.com/google/osv-scanner/v2/cmd/osv-scanner@\u003cpinned\u003e` with `GOTOOLCHAIN=auto` — solves it: govulncheck can transparently fetch whatever toolchain the caller requires. Trade-offs: we lose the upstream container's preinstalled binary (adds ~20s setup time per scheduled run) and the call-style is now a job composition instead of a single `uses:`. Both are acceptable for the ability to scan repos that are ahead of the upstream container's bundled Go.\n\n## Why direct gitleaks install instead of `gitleaks-action@v2`\n\nTwo reasons documented inline in the workflow:\n\n1. **Allowlist semantics**: gitleaks-action's bundled binary (8.24.3 as of 2026-05) does not honor `[[allowlists]]` config correctly. 8.30+ fixes it.\n2. **Force-push resilience**: gitleaks-action's push-event mode scans `BEFORE^..HEAD` where `BEFORE = github.event.before`. After a force-push that rewrites history, `BEFORE` points to an orphaned commit and the scan fails with \"unknown revision.\" Direct full-tree invocation does not have this problem.\n\n## Examples\n\n- [`examples/minimal.yml`](examples/minimal.yml): bare-minimum caller workflow (defaults for everything)\n- [`examples/full.yml`](examples/full.yml): all inputs surfaced\n- [`examples/full-stack-starter/`](examples/full-stack-starter/): copy-paste starter for the full 3-tool stack (oss-security-scan + textleaks + oss-twin together)\n\n## Full-stack wire-up\n\noss-security-scan is one layer of a three-tool stack. For a new public OSS repo, the typical wire-up uses all three:\n\n| Tool | Concern | File(s) |\n|---|---|---|\n| [**textleaks**](https://github.com/creatornader/textleaks) | Narrative-leak detection (prose patterns, codenames) | `textleaks.yaml` (pin via `.pre-commit-config.yaml`) |\n| [**oss-twin**](https://github.com/creatornader/oss-twin) | Structural mirror gate (no private path in public tree) | `.oss-twin.yaml` (pin via `.pre-commit-config.yaml`) |\n| **oss-security-scan** (this tool) | typos + gitleaks + trufflehog + osv-scanner in CI | `.github/workflows/security-scan.yml` (calls this reusable workflow) |\n\nCopy [`examples/full-stack-starter/`](examples/full-stack-starter/) into a fresh repo, edit the codename list in `textleaks.yaml`, edit the private paths in `.oss-twin.yaml`, and you have the full stack wired in ~5 minutes.\n\n## Versioning\n\nTags are SemVer. Pin to a major (`@v0.1.0` until v1, then `@v1`) for stability. Floating to `@main` is supported but not recommended for production repos.\n\n## Roadmap\n\nv0.1.0 is the initial extraction from a production workflow that has been running across multiple repos. Planned:\n\n- **v0.2**: optional Vale prose lint job\n- **v0.2**: optional [textleaks](https://github.com/creatornader/textleaks) job (narrative-leak detection)\n- **v0.2**: matrix support for multi-OS gitleaks (windows/macOS runners for cross-platform projects)\n\n## License\n\nApache 2.0. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcreatornader%2Foss-security-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcreatornader%2Foss-security-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcreatornader%2Foss-security-scan/lists"}