Skip to content

feat(python-sbom): add OSV-Scanner SBOM-ingest gate + nightly schedule (#152)#179

Merged
williaby merged 3 commits into
mainfrom
claude/sbom-osv-ingest-152
May 26, 2026
Merged

feat(python-sbom): add OSV-Scanner SBOM-ingest gate + nightly schedule (#152)#179
williaby merged 3 commits into
mainfrom
claude/sbom-osv-ingest-152

Conversation

@williaby
Copy link
Copy Markdown
Collaborator

@williaby williaby commented May 26, 2026

Summary

Salvages two pieces of work from orphan branch claude/sbom-cve-scanning-rWh7I (commit df2cf51, never opened as a PR) that are not in main:

  1. scan-runtime-osv job in python-sbom.yml: OSV-Scanner consumes the shared sbom-runtime.json artifact in parallel with Trivy and Grype. Same workflow, three scanners, one SBOM resolver pass. Reuses the OSV-Scanner SHA already pinned in python-security-analysis.yml (9a498708... v2.3.8), so no new dependency surface. New SARIF category osv-sbom-runtime-deps.
  2. sbom-nightly.yml: org-level nightly workflow (02:17 UTC + workflow_dispatch) that calls python-sbom.yml via same-repo relative path. Skips cleanly in .github (no pyproject.toml); serves as reference pattern for downstream repos.

Relationship to #152

#152's acceptance criteria cover the Trivy to Grype migration, which shipped in PR #169 (parallel-run mode). This PR layers OSV-Scanner on top as a complementary fast keyless gate. This is scope-expansion beyond #152's stated AC. If the maintainer prefers, this can split into its own tracking issue before merge.

Behavior change to flag

The new run-osv workflow input defaults to true, which makes OSV-Scanner gating by default for every fleet repo that calls python-sbom.yml on its next run. If that default is too aggressive for a soft launch, flip to false and have a follow-up enable per repo.

Provenance

Cherry-picked from origin/claude/sbom-cve-scanning-rWh7I@df2cf51 onto a clean branch from origin/main. The orphan branch will be deleted after this PR lands.

Test plan

  • Confirm osv-sbom-runtime-deps category appears in Security > Code scanning alerts on first PR run
  • Confirm Trivy, Grype, OSV-Scanner all run in parallel (no serial blocking)
  • sbom-nightly.yml skips cleanly in .github repo (no pyproject.toml)
  • At least one Python fleet repo passes a workflow_dispatch test against this branch via uses: override
  • Verify the run-osv: false opt-out path still leaves Trivy and Grype gating intact

Generated with Claude Code

@claude @williaby
feat(python-sbom): add OSV-Scanner SBOM gate and nightly schedule (#152
1f90ac0 
… follow-up)

Item 2: adds scan-runtime-osv job to python-sbom.yml that ingests the shared
SBOM artifact via --sbom flag (no second resolver pass). Runs in parallel with
Trivy and Grype; gating by default, controlled by new run-osv boolean input.
Emits SARIF to the Security tab under category osv-sbom-runtime-deps. Reuses
the same google/osv-scanner-action SHA already pinned in python-security-analysis.yml.

Item 3: adds sbom-nightly.yml org-level workflow with a daily schedule trigger
(02:17 UTC) and workflow_dispatch. Calls python-sbom.yml via same-repo relative
path so the nightly run exercises the full pipeline. Skips cleanly in .github
repo (no pyproject.toml); serves as reference pattern for downstream repos that
need nightly CVE database coverage between PR builds.

https://claude.ai/code/session_01JLmscfrMv91Qn8HMNM85Dk
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 26, 2026
edited
Loading

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 22 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 40d3ce80-bb64-4d74-96e0-8185d4f34012

📥 Commits

Reviewing files that changed from the base of the PR and between 3065983 and e534a36.

📒 Files selected for processing (4)
  • .github/workflows/python-sbom.yml
  • .github/workflows/sbom-nightly.yml
  • CHANGELOG.md
  • workflow-templates/python-sbom.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/sbom-osv-ingest-152

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@williaby
docs(python-sbom): complete PR #179 with CHANGELOG + template header …
fe10559 
…update

Two gaps surfaced during PR completeness audit:

1. CHANGELOG.md - the `[Unreleased]` section already documented the Grype
   addition (PR #169) but had no entry for the OSV-Scanner SBOM-ingest gate
   added in the parent cherry-pick. Adds an Unreleased > Added entry that
   mirrors the Grype precedent: input contract, gating semantics, SARIF
   category, no-new-third-party-surface note, and caller back-compat statement.
   Also documents `sbom-nightly.yml` as the org-level nightly reference
   pattern downstream repos can paste into their own caller workflows.

2. workflow-templates/python-sbom.yml - the template that gets copied into
   new repos via the GitHub Actions UI template picker. Its header comment
   still said "Scans for vulnerabilities with Trivy" - outdated since PR #169
   (Grype) and now this PR (OSV-Scanner). Updates the header to enumerate
   all three scanners and adds an "Optional toggles" block surfacing
   `run-osv` and `grype-config-path` so downstream adopters discover them
   without spelunking the reusable workflow definition.

No behavior change. CHANGELOG and header text only.
@williaby williaby marked this pull request as ready for review May 26, 2026 22:04
Copilot AI review requested due to automatic review settings May 26, 2026 22:04
@williaby williaby enabled auto-merge (squash) May 26, 2026 22:04
@williaby williaby merged commit d7a5f16 into main May 26, 2026
22 of 23 checks passed
@williaby williaby deleted the claude/sbom-osv-ingest-152 branch May 26, 2026 22:04
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 26, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@williaby williaby review requested due to automatic review settings May 26, 2026 22:27
@williaby williaby mentioned this pull request Jun 3, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@williaby @claude