From 9ecbc1fc39e36edeffcd0040a5f7e88dda9a3711 Mon Sep 17 00:00:00 2001
From: Val Redchenko <lazyval@gmail.com>
Date: Wed, 28 Jan 2026 12:54:45 +0000
Subject: [PATCH] fix: pass explicit config path to OSV scanner workflow

OSV scanner looks for config files relative to lockfile location
(webui/package-lock.json), not the repo root. Since osv-scanner.toml
was moved to repo root in PR #145, the ignore rules weren't being found.

Add --config flag via scan-args to explicitly point to the config file
at repository root.
---
 .github/workflows/osv-scanner.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index 4e9dc3f..040e2b4 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -20,7 +20,11 @@ jobs:
   scan-pr:
     if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name == 'merge_group'
     uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.2
+    with:
+      scan-args: '--config ./osv-scanner.toml -r ./'
 
   scan-scheduled:
     if: github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch'
     uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.2
+    with:
+      scan-args: '--config ./osv-scanner.toml -r ./'