From aa24504213d565a9bbfcede9da9fc55a0586dc48 Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 21 Feb 2025 14:10:24 -1000 Subject: [PATCH 01/10] Add a "Check compliance" step and related options #12 Signed-off-by: tdruez --- .github/workflows/find-vulnerabilities.yml | 15 ++++++++++++++ .github/workflows/scan-codebase.yml | 9 ++++---- README.md | 11 ++++++++++ action.yml | 24 ++++++++++++++++++---- 4 files changed, 50 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/find-vulnerabilities.yml diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml new file mode 100644 index 0000000..f8af2f3 --- /dev/null +++ b/.github/workflows/find-vulnerabilities.yml @@ -0,0 +1,15 @@ +on: [push] + +jobs: + scan-codebase: + runs-on: ubuntu-22.04 + name: Scan codebase with ScanCode.io + steps: + - uses: actions/checkout@v4 + with: + path: scancode-inputs + - uses: nexB/scancode-action@alpha + with: + pipelines: "scan_codebase,find_vulnerabilities" + env: + VULNERABLECODE_URL: https://public.vulnerablecode.io/ diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index f8af2f3..591d661 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -2,14 +2,13 @@ on: [push] jobs: scan-codebase: - runs-on: ubuntu-22.04 - name: Scan codebase with ScanCode.io + runs-on: ubuntu-24.04 + name: Scan codebase and check for compliance issues steps: - uses: actions/checkout@v4 with: path: scancode-inputs - uses: nexB/scancode-action@alpha with: - pipelines: "scan_codebase,find_vulnerabilities" - env: - VULNERABLECODE_URL: https://public.vulnerablecode.io/ + pipelines: "scan_codebase" + check-compliance: true diff --git a/README.md b/README.md index 6935302..3ce2a38 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,15 @@ steps: # Default is 'scancode-outputs' outputs-archive-name: + # Check for compliance issues in the project. + # Exits with a non-zero status if compliance issues are detected. + # Default is false + check-compliance: + + # Failure level for compliance check. Options: ERROR, WARNING, MISSING. + # Default is 'ERROR' + compliance-fail-level: + # Python version that will be installed to run ScanCode.io # Default is '3.11' python-version: @@ -79,6 +88,8 @@ Workflows examples. ### Scan repo codebase +TODO: Why, file only! + ```yaml steps: - uses: actions/checkout@v4 diff --git a/action.yml b/action.yml index 929e678..afe0d5a 100644 --- a/action.yml +++ b/action.yml @@ -11,17 +11,25 @@ inputs: description: "Relative path within the $GITHUB_WORKSPACE for pipeline inputs" default: "${{ github.workspace }}/scancode-inputs" input-urls: - description: 'Provide one or more URLs to download for the pipeline run execution' + description: "Provide one or more URLs to download for the pipeline run execution." required: false default: "" project-name: - description: "Name of the project" + description: "Name of the project." default: "scancode-action" outputs-archive-name: - description: "Name of the outputs archive" + description: "Name of the outputs archive." default: "scancode-outputs" + check-compliance: + description: | + Check for compliance issues in the project. + Exits with a non-zero status if compliance issues are detected. + compliance-fail-level: + description: "Failure level for compliance check. Options: ERROR, WARNING, MISSING." + default: "ERROR" + required: false python-version: - description: "Python version" + description: "Python version." default: "3.11" runs: @@ -107,6 +115,14 @@ runs: --format ${{ inputs.output-formats }} --no-color + - name: Check compliance + if: inputs.check-compliance == 'true' + shell: bash + run: scanpipe check-compliance + --project ${{ inputs.project-name }} + --fail-level ${{ inputs.compliance-fail-level }} + --no-color + - name: Upload outputs uses: actions/upload-artifact@v4 id: artifact-upload-step From 49dbc02fb8853100f9de710291eecd4ab6509d9f Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 21 Feb 2025 14:18:57 -1000 Subject: [PATCH 02/10] Set a compliance-fail-level value in workflow examples #12 Signed-off-by: tdruez --- .github/workflows/scan-codebase.yml | 1 + action.yml | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index 591d661..205dbd2 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -12,3 +12,4 @@ jobs: with: pipelines: "scan_codebase" check-compliance: true + compliance-fail-level: "WARNING" diff --git a/action.yml b/action.yml index afe0d5a..b009917 100644 --- a/action.yml +++ b/action.yml @@ -59,7 +59,7 @@ runs: shell: bash run: | pip install --upgrade scancodeio - scanpipe migrate + scanpipe migrate --verbosity 0 - name: Generate `--pipeline` CLI arguments shell: bash @@ -112,8 +112,7 @@ runs: shell: bash run: scanpipe output --project ${{ inputs.project-name }} - --format ${{ inputs.output-formats }} - --no-color + --format ${{ inputs.output-formats }} - name: Check compliance if: inputs.check-compliance == 'true' @@ -121,7 +120,6 @@ runs: run: scanpipe check-compliance --project ${{ inputs.project-name }} --fail-level ${{ inputs.compliance-fail-level }} - --no-color - name: Upload outputs uses: actions/upload-artifact@v4 From 3a0aeacb36c3900d78817e0750e9f90a5ccc4279 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 11 Jun 2025 18:10:11 +0400 Subject: [PATCH 03/10] Run the action from current branch #12 Signed-off-by: tdruez --- .github/workflows/scan-codebase.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index 205dbd2..bf16127 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -8,7 +8,8 @@ jobs: - uses: actions/checkout@v4 with: path: scancode-inputs - - uses: nexB/scancode-action@alpha + - name: Run the action from current branch + uses: ./ with: pipelines: "scan_codebase" check-compliance: true From f298267f364fba7a8bace6d639e619cf2960ce8e Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 11 Jun 2025 18:15:28 +0400 Subject: [PATCH 04/10] Run the action from current branch #12 Signed-off-by: tdruez --- .github/workflows/analyze-docker-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/analyze-docker-image.yml b/.github/workflows/analyze-docker-image.yml index 9e92c8d..de44dc9 100644 --- a/.github/workflows/analyze-docker-image.yml +++ b/.github/workflows/analyze-docker-image.yml @@ -5,7 +5,7 @@ jobs: runs-on: ubuntu-22.04 name: Analyze a Docker image with ScanCode.io steps: - - uses: nexB/scancode-action@alpha + - uses: ./ # Run the action from current branch with: pipelines: "analyze_docker_image" input-urls: From 1e515090bc771fcc083eb5886d17aa0103b5d33a Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 11 Jun 2025 18:17:08 +0400 Subject: [PATCH 05/10] DEBUG #12 Signed-off-by: tdruez --- .github/workflows/scan-codebase.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index bf16127..1bcb2f9 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -8,8 +8,14 @@ jobs: - uses: actions/checkout@v4 with: path: scancode-inputs + - name: DEBUG + shell: bash + run: | + ls ./ + ls ../ + ls ../../ - name: Run the action from current branch - uses: ./ + uses: ../ with: pipelines: "scan_codebase" check-compliance: true From df0557e0bfc45964c53f34d6cf6f3cb585d6b360 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 11 Jun 2025 18:18:50 +0400 Subject: [PATCH 06/10] DEBUG #12 Signed-off-by: tdruez --- .github/workflows/scan-codebase.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index 1bcb2f9..84004df 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -15,7 +15,7 @@ jobs: ls ../ ls ../../ - name: Run the action from current branch - uses: ../ + uses: ./ with: pipelines: "scan_codebase" check-compliance: true From 83900465c752a1fc2afaa6a80b65cbcb7027c9b3 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 11 Jun 2025 18:20:05 +0400 Subject: [PATCH 07/10] DEBUG #12 Signed-off-by: tdruez --- .github/workflows/scan-codebase.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index 84004df..2e9b4d1 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -11,11 +11,9 @@ jobs: - name: DEBUG shell: bash run: | - ls ./ - ls ../ - ls ../../ + ls ./scancode-inputs - name: Run the action from current branch - uses: ./ + uses: ./scancode-inputs with: pipelines: "scan_codebase" check-compliance: true From 4a38d4b5514a06bb7067706a3483c4e1b2cad176 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 11 Jun 2025 18:23:56 +0400 Subject: [PATCH 08/10] DEBUG #12 Signed-off-by: tdruez --- .github/workflows/scan-codebase.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index 2e9b4d1..fa01f17 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -6,15 +6,10 @@ jobs: name: Scan codebase and check for compliance issues steps: - uses: actions/checkout@v4 - with: - path: scancode-inputs - - name: DEBUG - shell: bash - run: | - ls ./scancode-inputs - name: Run the action from current branch - uses: ./scancode-inputs + uses: ./action.yml with: + inputs-path: ./ pipelines: "scan_codebase" check-compliance: true compliance-fail-level: "WARNING" From 7ccccf70d21bc173d670f284c6d0ec1090f4b6e0 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 11 Jun 2025 18:26:45 +0400 Subject: [PATCH 09/10] DEBUG #12 Signed-off-by: tdruez --- .github/workflows/analyze-docker-image.yml | 2 +- .github/workflows/scan-codebase.yml | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/analyze-docker-image.yml b/.github/workflows/analyze-docker-image.yml index de44dc9..9e92c8d 100644 --- a/.github/workflows/analyze-docker-image.yml +++ b/.github/workflows/analyze-docker-image.yml @@ -5,7 +5,7 @@ jobs: runs-on: ubuntu-22.04 name: Analyze a Docker image with ScanCode.io steps: - - uses: ./ # Run the action from current branch + - uses: nexB/scancode-action@alpha with: pipelines: "analyze_docker_image" input-urls: diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index fa01f17..b303d69 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -6,10 +6,11 @@ jobs: name: Scan codebase and check for compliance issues steps: - uses: actions/checkout@v4 - - name: Run the action from current branch - uses: ./action.yml with: - inputs-path: ./ + path: scancode-inputs + - name: Run scancode-action from current branch + uses: ./scancode-inputs/action.yml + with: pipelines: "scan_codebase" check-compliance: true compliance-fail-level: "WARNING" From e9b464a317744a150b7b32f8fbf7037cc231a347 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 11 Jun 2025 18:37:26 +0400 Subject: [PATCH 10/10] Add documentation #12 Signed-off-by: tdruez --- .github/workflows/scan-codebase.yml | 2 +- README.md | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan-codebase.yml b/.github/workflows/scan-codebase.yml index b303d69..0d436bb 100644 --- a/.github/workflows/scan-codebase.yml +++ b/.github/workflows/scan-codebase.yml @@ -9,7 +9,7 @@ jobs: with: path: scancode-inputs - name: Run scancode-action from current branch - uses: ./scancode-inputs/action.yml + uses: ./scancode-inputs with: pipelines: "scan_codebase" check-compliance: true diff --git a/README.md b/README.md index e4744ca..5c5efdc 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ Workflows. - [Choose the output formats](#choose-the-output-formats) - [Provide download URLs inputs](#provide-download-urls-inputs) - [Fetch pipelines inputs](#fetch-pipelines-inputs) + - [Check for compliance issues](#check-for-compliance-issues) - [Define a custom project name](#define-a-custom-project-name) - [Install ScanCode.io from a repository branch](#install-scancodeio-from-a-repository-branch) - [Where does the scan results go?](#where-does-the-scan-results-go) @@ -89,8 +90,6 @@ Workflows examples. ### Scan repo codebase -TODO: Why, file only! - ```yaml steps: - uses: actions/checkout@v4 @@ -163,6 +162,20 @@ For details on setting up and configuring your own instance, please refer to the pipelines: "scan_single_package" ``` +### Check for compliance issues + +```yaml +- uses: nexB/scancode-action@alpha + with: + check-compliance: true + compliance-fail-level: "WARNING" +``` + +> [!NOTE] +> This feature requires to provide Project policies. +> For details on setting up and configuring your own instance, please refer to the +> [ScanCode.io Policies documentation](https://scancodeio.readthedocs.io/en/latest/policies.html). + ### Define a custom project name ```yaml