fix: pass explicit config path to OSV scanner workflow

vredchenko · vredchenko · commit 9ecbc1fc39e3 · 2026-01-28T12:54:45.000Z
OSV scanner looks for config files relative to lockfile location (webui/package-lock.json), not the repo root. Since osv-scanner.toml was moved to repo root in PR #145, the ignore rules weren't being found. Add --config flag via scan-args to explicitly point to the config file at repository root.
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -20,7 +20,11 @@ jobs:
   scan-pr:
     if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name == 'merge_group'
     uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.2
+    with:
+      scan-args: '--config ./osv-scanner.toml -r ./'
 
   scan-scheduled:
     if: github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch'
     uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.2
+    with:
+      scan-args: '--config ./osv-scanner.toml -r ./'
