From e86aafaeda570c8e8b02fb69d58aca2d37d75e8d Mon Sep 17 00:00:00 2001
From: abhisek <abhisek.datta@gmail.com>
Date: Thu, 21 Nov 2024 20:18:24 +0530
Subject: [PATCH] ci: Integrate vet for scanning OSS components during PR

---
 .github/vet/policy.yml       | 25 +++++++++++++++++++++++++
 .github/workflows/vet-ci.yml | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 .github/vet/policy.yml
 create mode 100644 .github/workflows/vet-ci.yml

diff --git a/.github/vet/policy.yml b/.github/vet/policy.yml
new file mode 100644
index 000000000000..19e8c2ec28c3
--- /dev/null
+++ b/.github/vet/policy.yml
@@ -0,0 +1,25 @@
+name: Minimal OSS Security Policy
+description: |
+  This filter suite contains rules for implementing minimum
+  security guardrails against risky OSS components.
+tags:
+  - general
+  - vet
+  - oss-maintainers
+filters:
+  - name: critical-or-high-vulns
+    check_type: CheckTypeVulnerability
+    summary: Critical or high risk vulnerabilities were found
+    value: |
+      vulns.critical.exists(p, true) || vulns.high.exists(p, true)
+  - name: low-popularity
+    check_type: CheckTypePopularity
+    summary: Component popularity is low by Github stars count
+    value: |
+      projects.exists(p, (p.type == "GITHUB") && (p.stars < 10))
+  - name: osv-malware
+    check_type: CheckTypeMalware
+    summary: Malicious (malware) component detected
+    value: |
+      vulns.all.exists(v, v.id.startsWith("MAL-"))
+
diff --git a/.github/workflows/vet-ci.yml b/.github/workflows/vet-ci.yml
new file mode 100644
index 000000000000..dc9042ac376d
--- /dev/null
+++ b/.github/workflows/vet-ci.yml
@@ -0,0 +1,36 @@
+name: vet OSS Components
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - master
+
+permissions:
+  # Required for actions/checkout@v4
+  contents: read
+
+  # Required for writing pull request comment
+  issues: write
+  pull-requests: write
+
+jobs:
+  vet:
+    name: vet
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Run vet
+        id: vet
+        uses: safedep/vet-action@v1
+        with:
+          policy: .github/vet/policy.yml
+        env:
+          # Required for writing pull request comment
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+