Run ScanCode.io pipelines from your Workflows.
Important
The scancode-action is currently in the beta stage, and we invite you to contribute to its improvement. Please feel free to submit bug reports or share your ideas by creating new entries in the "Issues" section. Your collaboration helps us enhance the action and ensures a more stable and effective tool for the community. Thank you for your support!
steps:
- uses: actions/checkout@v4
with:
path: scancode-inputs
- uses: aboutcode-org/scancode-action@beta
with:
pipelines: "scan_codebase"
output-formats: "json xlsx spdx cyclonedx"- uses: aboutcode-org/scancode-action@beta
with:
# Names of the pipelines (comma-separated) and in order.
# Default is 'scan_codebase'
pipelines:
# The list of output formats to generate.
# Default is 'json xlsx spdx cyclonedx'
output-formats:
# Relative path within the $GITHUB_WORKSPACE for pipeline inputs.
# Default is 'scancode-inputs'
inputs-path:
# Provide one or more URLs to download for the pipeline run execution
input-urls:
# Name of the project.
# Default is 'scancode-action'
project-name:
# Name of the outputs archive.
# Default is 'scancode-outputs'
outputs-archive-name:
# Check for compliance issues in the project.
# Exits with a non-zero status if compliance issues are detected.
# Default is false
check-compliance:
# Failure level for compliance check. Options: ERROR, WARNING, MISSING.
# Default is 'ERROR'
compliance-fail-level:
# Python version that will be installed to run ScanCode.io
# Default is '3.12'
python-version:See https://github.com/aboutcode-org/scancode-action/tree/main/.github/workflows for Workflows examples.
steps:
- uses: actions/checkout@v4
with:
path: scancode-inputs
- uses: aboutcode-org/scancode-action@beta- uses: aboutcode-org/scancode-action@beta
with:
pipelines: "scan_codebase"- uses: aboutcode-org/scancode-action@beta
with:
pipelines: "scan_codebase,find_vulnerabilities"
env:
VULNERABLECODE_URL: https://public.vulnerablecode.io/The find_vulnerabilities pipeline requires access to a VulnerableCode instance,
which can be defined using the VULNERABLECODE_URL environment variable.
In the example provided, a public instance is referenced. However, you also have the option to run your own VulnerableCode instance. For details on setting up and configuring your own instance, please refer to the VulnerableCode documentation.
- uses: aboutcode-org/scancode-action@beta
with:
output-formats: "json xlsx spdx cyclonedx"Note
To specify a CycloneDX spec version (default to latest), use the syntax
cyclonedx:VERSION as format value. For example: cyclonedx:1.5.
- uses: aboutcode-org/scancode-action@beta
with:
pipelines: "map_deploy_to_develop"
input-urls:
https://domain.url/source.zip#from
https://domain.url/binaries.zip#to- name: Download repository archive to scancode-inputs/ directory
run: |
wget --directory-prefix=scancode-inputs https://github.com/${GITHUB_REPOSITORY}/archive/${GITHUB_REF}.zip
- uses: aboutcode-org/scancode-action@beta
with:
pipelines: "scan_single_package"- uses: aboutcode-org/scancode-action@beta
with:
check-compliance: true
compliance-fail-level: "WARNING"Note
This feature requires to provide Project policies. For details on setting up and configuring your own instance, please refer to the ScanCode.io Policies documentation.
- uses: aboutcode-org/scancode-action@beta
with:
project-name: "my-project-name"- uses: aboutcode-org/scancode-action@beta
with:
scancodeio-repo-branch: "main"Upon completion of the workflow, you can find the scan results in the dedicated
artifacts section at the bottom of the workflow summary page.
Look for a file named scancode-outputs in that section.
This file contains the outputs generated by the scancode-action.