From 9761600fad5d8c9d5b9995a9192c18809b450c86 Mon Sep 17 00:00:00 2001
From: Val Redchenko <val.redchenko@diamond.ac.uk>
Date: Fri, 30 Jan 2026 18:57:40 +0000
Subject: [PATCH] feat: add OSV vulnerability scanner

- Daily scheduled scans at 03:00 UTC
- PR scans for changed dependencies only
- Findings uploaded to GitHub Security tab
- Added badge and docs to README
---
 .github/workflows/osv-scanner.yml | 26 ++++++++++++++++++++++++++
 README.md                         | 24 ++++++++++++++++++++++++
 osv-scanner.toml                  |  2 ++
 3 files changed, 52 insertions(+)
 create mode 100644 .github/workflows/osv-scanner.yml
 create mode 100644 osv-scanner.toml

diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
new file mode 100644
index 0000000..f4e40ca
--- /dev/null
+++ b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,26 @@
+name: OSV Scanner
+
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+    branches: [main]
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  scan-pr:
+    if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name == 'merge_group'
+    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.2
+
+  scan-scheduled:
+    if: github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.2
diff --git a/README.md b/README.md
index 86272f3..6dc329c 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
 # ARIA Metadata Management Plugin Library
 
+[![OSV Scanner](https://github.com/FragmentScreen/ddapi-record-logs/actions/workflows/osv-scanner.yml/badge.svg)](https://github.com/FragmentScreen/ddapi-record-logs/actions/workflows/osv-scanner.yml)
+
 This is a stub plugin library for the **ARIA metadata management service**, specifically designed for handling LOGS metadata.
 
 For more information, visit: https://gitlab.com/aria-php/data-deposition-api
@@ -8,3 +10,25 @@ For more information, visit: https://gitlab.com/aria-php/data-deposition-api
 
 This stub plugin provides a foundation for integrating LOGS metadata handling with the ARIA metadata management system.
 
+## Security Scanning
+
+This repo uses [OSV Scanner](https://github.com/google/osv-scanner) for vulnerability detection.
+
+**When it runs:**
+- Daily at 03:00 UTC (full scan)
+- On PRs targeting main (changed deps only)
+- On push to main (full scan)
+
+**If vulnerabilities are found:**
+1. Check the [Security tab](../../security) for alerts
+2. To ignore false positives, add entries to `osv-scanner.toml`:
+   ```toml
+   [[IgnoredVulns]]
+   id = "GHSA-xxxx-xxxx-xxxx"
+   reason = "Justification"
+   ```
+
+**References:**
+- [OSV Scanner docs](https://google.github.io/osv-scanner/)
+- [GitHub Action](https://github.com/google/osv-scanner-action)
+- [OSV Database](https://osv.dev/)
diff --git a/osv-scanner.toml b/osv-scanner.toml
new file mode 100644
index 0000000..bfca2dd
--- /dev/null
+++ b/osv-scanner.toml
@@ -0,0 +1,2 @@
+# OSV Scanner configuration
+# https://google.github.io/osv-scanner/configuration/