From 513af3d8337184d6a2e492ae5ebe34d990ad2e70 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Thu, 26 Jun 2025 16:35:32 +0400
Subject: [PATCH 1/2] Add ability to enable --fail-on-vulnerabilities for
 check-compliance

Signed-off-by: tdruez <tdruez@nexb.com>
---
 .github/workflows/find-vulnerabilities.yml |  2 ++
 README.md                                  | 22 ++++++++++++++++
 action.yml                                 | 29 ++++++++++++++++------
 3 files changed, 46 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml
index 2c07f24..c4c07eb 100644
--- a/.github/workflows/find-vulnerabilities.yml
+++ b/.github/workflows/find-vulnerabilities.yml
@@ -17,5 +17,7 @@ jobs:
       - uses: ./
         with:
           pipelines: "scan_codebase,find_vulnerabilities"
+          check-compliance: true
+          compliance-fail-on-vulnerabilities: true
         env:
           VULNERABLECODE_URL: https://public.vulnerablecode.io/
diff --git a/README.md b/README.md
index 940868e..15e4086 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,11 @@ steps:
     # Failure level for compliance check. Options: ERROR, WARNING, MISSING.
     # Default is 'ERROR'
     compliance-fail-level:
+      
+    # Exit with a non-zero status if known vulnerabilities are detected in discovered 
+    # packages and dependencies.
+    # Default is false
+    compliance-fail-on-vulnerabilities:
 
     # Python version that will be installed to run ScanCode.io
     # Default is '3.12'
@@ -128,6 +133,23 @@ However, you also have the option to run your own VulnerableCode instance.
 For details on setting up and configuring your own instance, please refer to the 
 [VulnerableCode documentation](https://vulnerablecode.readthedocs.io/en/latest/index.html).
 
+#### Fail on known vulnerabilities
+
+When enabled, the workflow will fail if any known vulnerabilities are found in the 
+project's discovered packages or dependencies.
+Activate this behavior by enabling `check-compliance` and setting 
+`compliance-fail-on-vulnerabilities` to true.
+
+```yaml
+- uses: aboutcode-org/scancode-action@beta
+  with:
+    pipelines: "scan_codebase,find_vulnerabilities"
+    check-compliance: true
+    compliance-fail-on-vulnerabilities: true
+  env:
+    VULNERABLECODE_URL: https://public.vulnerablecode.io/
+```
+
 ### Choose the output formats
 
 ```yaml
diff --git a/action.yml b/action.yml
index 2cb2255..5c0e93b 100644
--- a/action.yml
+++ b/action.yml
@@ -24,10 +24,18 @@ inputs:
     description: |
       Check for compliance issues in the project.
       Exits with a non-zero status if compliance issues are detected.
+    required: false
+    default: "false"
   compliance-fail-level:
     description: "Failure level for compliance check. Options: ERROR, WARNING, MISSING."
+    required: false
     default: "ERROR"
+  compliance-fail-on-vulnerabilities:
+    description: |
+      Exit with a non-zero status if known vulnerabilities are detected in discovered 
+      packages and dependencies.
     required: false
+    default: "false"
   python-version:
     description: "Python version."
     default: "3.12"
@@ -127,16 +135,23 @@ runs:
         --project ${{ inputs.project-name }} 
         --format ${{ inputs.output-formats }}
 
-    - name: Check compliance
-      if: inputs.check-compliance == 'true'
-      shell: bash
-      run: scanpipe check-compliance
-        --project ${{ inputs.project-name }}
-        --fail-level ${{ inputs.compliance-fail-level }}
-
     - name: Upload outputs
       uses: actions/upload-artifact@v4
       id: artifact-upload-step
       with:
         name: ${{ inputs.outputs-archive-name }}
         path: ${{ env.PROJECT_WORK_DIRECTORY }}/output/*
+
+    - name: Check compliance
+      if: inputs.check-compliance == 'true'
+      shell: bash
+      run: |
+        cmd="scanpipe check-compliance \
+          --project ${{ inputs.project-name }} \
+          --fail-level ${{ inputs.compliance-fail-level }}"
+
+        if [[ "${{ inputs.compliance-fail-on-vulnerabilities }}" == "true" ]]; then
+          cmd="$cmd --fail-on-vulnerabilities"
+        fi
+
+        eval "$cmd"

From 37632ed75168295aa3c3acfe75fcd55c2a8cd154 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Thu, 26 Jun 2025 17:17:06 +0400
Subject: [PATCH 2/2] Use scancodeio repo "main" branch to ensure feature
 availability

Signed-off-by: tdruez <tdruez@nexb.com>
---
 .github/workflows/find-vulnerabilities.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml
index c4c07eb..ec39fdc 100644
--- a/.github/workflows/find-vulnerabilities.yml
+++ b/.github/workflows/find-vulnerabilities.yml
@@ -17,6 +17,7 @@ jobs:
       - uses: ./
         with:
           pipelines: "scan_codebase,find_vulnerabilities"
+          scancodeio-repo-branch: "main"
           check-compliance: true
           compliance-fail-on-vulnerabilities: true
         env: