Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
22ff8d5
Add GH workflow to generate SBOM with OSV-Scanner #1730
tdruez Aug 20, 2025
9d41c7f
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
dfa7786
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
4af8434
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
b24e36c
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
9ebd6a7
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
91983e0
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
da1494c
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
7ec0065
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
f6e7f52
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
9ac3f51
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
c9a38fa
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
96d8b89
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
b4cba53
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
8f025da
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
c9e2509
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
65de814
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
6726ff5
Debug OSV-Scanner action #1730
tdruez Aug 21, 2025
8706897
Merge branch 'main' into 1730-sca-integrations-osv
tdruez Aug 27, 2025
54b3125
Add entry in the FAQ
tdruez Aug 27, 2025
8e666ae
DEBUG workflow
tdruez Aug 27, 2025
1b2ec6a
DEBUG workflow
tdruez Aug 27, 2025
ddef0cb
DEBUG workflow
tdruez Aug 27, 2025
2bd7fb7
DEBUG workflow
tdruez Aug 27, 2025
58b42c0
DEBUG workflow
tdruez Aug 27, 2025
adff71a
DEBUG workflow
tdruez Aug 27, 2025
0429814
DEBUG workflow
tdruez Aug 27, 2025
f4ae8c2
DEBUG workflow
tdruez Aug 27, 2025
7f42337
DEBUG workflow
tdruez Aug 27, 2025
b93e411
DEBUG workflow
tdruez Aug 27, 2025
0cf0a22
DEBUG workflow
tdruez Aug 27, 2025
2a37aad
DEBUG workflow
tdruez Aug 27, 2025
a7f4f7b
DEBUG workflow
tdruez Aug 27, 2025
d721265
DEBUG workflow
tdruez Aug 27, 2025
ff8d39b
Add unit test for OSV-Scanner SBOM support
tdruez Aug 28, 2025
1a15f87
Refine workflow
tdruez Aug 28, 2025
3ebb0fe
Add extra unit test for the OSV-Scanner support
tdruez Aug 28, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions .github/workflows/sca-integration-osv-scanner.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Generate SBOM with OSV-Scanner and load into ScanCode.io

# This workflow:
# 1. Generates a CycloneDX SBOM for a container image using OSV-Scanner.
# 2. Uploads the SBOM as a GitHub artifact for future inspection.
# 3. Loads the SBOM into ScanCode.io for further analysis.
# 4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
#
# It runs on demand, and once a week (scheduled).

on:
workflow_dispatch:
schedule:
# Run once a week (every 7 days) at 00:00 UTC on Sunday
- cron: "0 0 * * 0"

permissions:
contents: read

env:
IMAGE_REFERENCE: "python:3.13.0-slim"

jobs:
generate-and-load-sbom:
runs-on: ubuntu-24.04
steps:
- name: Install OSV-Scanner
run: |
curl -sLO https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
chmod +x osv-scanner_linux_amd64
sudo mv osv-scanner_linux_amd64 /usr/local/bin/osv-scanner

- name: Run OSV Scanner
# Using `|| true` as OSV-Scanner exits with code 1 when vulnerabilities are found.
run: |
osv-scanner scan image ${{ env.IMAGE_REFERENCE }} \
--all-packages \
--format spdx-2-3 \
--output osv-sbom.spdx.json \
|| true

- name: Upload SBOM as GitHub Artifact
uses: actions/upload-artifact@v4
with:
name: osv-scanner-sbom-report
path: osv-sbom.spdx.json
retention-days: 20

- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "osv-sbom.spdx.json"
scancodeio-repo-branch: "main"

- name: Verify SBOM Analysis Results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 100; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() >= 100"
6 changes: 4 additions & 2 deletions docs/faq.rst
Original file line number Diff line number Diff line change
Expand Up @@ -376,8 +376,10 @@ are actively supported and tested::
- Anchore: https://anchore.com/sbom/
- CycloneDX cdxgen: https://cyclonedx.github.io/cdxgen/
- OWASP dep-scan: https://owasp.org/www-project-dep-scan/
- Trivy: https://trivy.dev/latest/
- SBOM tool: https://github.com/microsoft/sbom-tool/
- Trivy: https://trivy.dev/
- OSV-Scanner: https://osv.dev/

.. note:: Imported SBOMs must follow the SPDX or CycloneDX standards, in JSON format.
You can use the ``load-sbom`` pipeline to process and enhance these SBOMs in your
You can use the ``load_sbom`` pipeline to process and enhance these SBOMs in your
ScanCode.io projects.
3 changes: 3 additions & 0 deletions scanpipe/pipes/resolve.py
Original file line number Diff line number Diff line change
Expand Up @@ -408,6 +408,9 @@ def resolve_spdx_dependencies(input_location):
return [
spdx_relationship_to_dependency_data(spdx_relationship)
for spdx_relationship in spdx_relationships
if spdx_relationship.spdx_id != "NOASSERTION"
and spdx_relationship.related_spdx_id != "NOASSERTION"
and spdx_relationship.relationship != "DESCRIBES"
]


Expand Down
Loading