Skip to content

chore(deps): Bump google/osv-scanner-action from 1.9.2 to 2.3.8#203

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/google/osv-scanner-action-2.3.8
Open

chore(deps): Bump google/osv-scanner-action from 1.9.2 to 2.3.8#203
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/google/osv-scanner-action-2.3.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 17, 2026

Copy link
Copy Markdown

Bumps google/osv-scanner-action from 1.9.2 to 2.3.8.

Release notes

Sourced from google/osv-scanner-action's releases.

v2.3.8

What's Changed

This updates OSV-Scanner to v2.3.8.

Full Changelog: google/osv-scanner-action@v2.3.5...v2.3.8

v2.3.5

This updates OSV-Scanner to v2.3.5.

What's Changed

New Contributors

Full Changelog: google/osv-scanner-action@v2.3.3...v2.3.5

v2.3.3

This updates OSV-Scanner to v2.3.3.

What's Changed

New Contributors

Full Changelog: google/osv-scanner-action@v2.3.2...v2.3.3

v2.3.2

This updates OSV-Scanner to v2.3.2

This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in osv-scanner.json, and ignore entry tracking, along with documentation updates.

Fixes:

Misc:

... (truncated)

Commits
  • 9a49870 Update unified workflow example to point to v2.3.8 reusable workflows
  • 3adb4b1 Update reusable workflows to point to v2.3.8 actions
  • 8dc0919 "Update actions to use v2.3.8 osv-scanner image"
  • 43f380b Merge pull request #125 from google/update-to-v2.3.6
  • dcf4ddd Update unified workflow example to point to v2.3.6 reusable workflows
  • b9dbb7e Update reusable workflows to point to v2.3.6 actions
  • fe54858 "Update actions to use v2.3.6 osv-scanner image"
  • eb5b619 Merge pull request #100 from thomasleplus/main
  • 9517144 feat: output results in reusable workflow
  • f17cd09 Merge branch 'main' into main
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): Bump google/osv-scanner-action from 1.9.2 to 2.3.8
463b90b 
Bumps [google/osv-scanner-action](https://github.com/google/osv-scanner-action) from 1.9.2 to 2.3.8.
- [Release notes](https://github.com/google/osv-scanner-action/releases)
- [Commits](google/osv-scanner-action@v1.9.2...v2.3.8)

---
updated-dependencies:
- dependency-name: google/osv-scanner-action
  dependency-version: 2.3.8
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added deps Dependency updates deps:ci labels May 17, 2026
@dependabot dependabot Bot requested a review from 0800tim as a code owner May 17, 2026 20:05
@dependabot dependabot Bot added deps Dependency updates deps:ci labels May 17, 2026
@github-actions

github-actions Bot commented May 17, 2026

Copy link
Copy Markdown

DRY-RUN — this verdict is informational; CI is not blocked.

Auto-triage: RED — security or codeowner review required

Risk score: 85/100

Metric Value
Files changed 2
Lines added 2
Lines removed 2
Apps touched none
New dependencies 1
New 3rd-party hosts 0

3 flags

  • HIGH classifier — Touches sensitive zone (2 paths)
    Sensitive paths changed: .github/workflows/pr-security.yml, .github/workflows/security-watchdog.yml
  • MEDIUM classifier — Modifies a GitHub Actions workflow
    Workflow changes can affect every future PR — confirm scope and that secrets/permissions are not widened.
  • LOW classifier — 1 new dependency
    - github-actions: google/osv-scanner-action/osv-scanner-action@v2.3.8

Labels applied: area:ci, auto-triage:red, ci, deps, security:sensitive-zone
Reviewers requested: @0800tim

Posted by @vtorn/pr-triage-bot. How this works: docs/security/01-pr-triage-process.md. Disagree with the verdict? Comment /triage override <reason> and a maintainer will re-review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0800tim 0800tim Awaiting requested review from 0800tim 0800tim is a code owner

Assignees

No one assigned

Labels

deps:ci deps Dependency updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants