diff --git a/.github/workflows/sca-integration-anchore.yml b/.github/workflows/sca-integration-anchore.yml index 07de98219f..d8ac014829 100644 --- a/.github/workflows/sca-integration-anchore.yml +++ b/.github/workflows/sca-integration-anchore.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 3200 + EXPECTED_VULNERABLE_PACKAGE: 40 + EXPECTED_DEPENDENCY: 220 jobs: generate-and-load-sbom: @@ -44,8 +47,13 @@ jobs: with: pipelines: "load_sbom" inputs-path: "anchore-grype-sbom.cdx.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 3200; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 220" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-cdxgen.yml b/.github/workflows/sca-integration-cdxgen.yml index 0af013ab99..ad7f050fac 100644 --- a/.github/workflows/sca-integration-cdxgen.yml +++ b/.github/workflows/sca-integration-cdxgen.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 340 + EXPECTED_VULNERABLE_PACKAGE: 0 + EXPECTED_DEPENDENCY: 0 jobs: generate-and-load-sbom: @@ -47,8 +50,13 @@ jobs: with: pipelines: "load_sbom" inputs-path: "cdxgen-sbom.cdx.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-depscan.yml b/.github/workflows/sca-integration-depscan.yml index adfb76804f..6b824a6a60 100644 --- a/.github/workflows/sca-integration-depscan.yml +++ b/.github/workflows/sca-integration-depscan.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 220 + EXPECTED_VULNERABLE_PACKAGE: 10 + EXPECTED_DEPENDENCY: 150 jobs: generate-and-load-sbom: @@ -52,8 +55,13 @@ jobs: with: pipelines: "load_sbom" inputs-path: "reports/sbom-docker.vdr.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 220; assert package_manager.vulnerable().count() > 10; assert DiscoveredDependency.objects.count() > 150" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-ort.yml b/.github/workflows/sca-integration-ort.yml index 98df3236cf..f5407b1547 100644 --- a/.github/workflows/sca-integration-ort.yml +++ b/.github/workflows/sca-integration-ort.yml @@ -13,14 +13,15 @@ on: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday - cron: "0 0 * * 0" - pull_request: - push: - branches: - - main permissions: contents: read +env: + EXPECTED_PACKAGE: 5 + EXPECTED_VULNERABLE_PACKAGE: 1 + EXPECTED_DEPENDENCY: 1 + jobs: generate-and-load-sbom: runs-on: ubuntu-24.04 @@ -47,4 +48,8 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 5; assert package_manager.vulnerable().count() >= 1; assert DiscoveredDependency.objects.count() >= 1" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-osv-scanner.yml b/.github/workflows/sca-integration-osv-scanner.yml index 07ed803907..0edaa49d9c 100644 --- a/.github/workflows/sca-integration-osv-scanner.yml +++ b/.github/workflows/sca-integration-osv-scanner.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 100 + EXPECTED_VULNERABLE_PACKAGE: 0 + EXPECTED_DEPENDENCY: 90 jobs: generate-and-load-sbom: @@ -56,4 +59,8 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 100; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() >= 100" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 125926e7a1..01bc2fe96d 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 90 + EXPECTED_VULNERABLE_PACKAGE: 0 + EXPECTED_DEPENDENCY: 90 jobs: generate-and-load-sbom: @@ -57,4 +60,8 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }} diff --git a/.github/workflows/sca-integration-trivy.yml b/.github/workflows/sca-integration-trivy.yml index 5e7306fd64..d135e00322 100644 --- a/.github/workflows/sca-integration-trivy.yml +++ b/.github/workflows/sca-integration-trivy.yml @@ -19,6 +19,9 @@ permissions: env: IMAGE_REFERENCE: "python:3.13.0-slim" + EXPECTED_PACKAGE: 90 + EXPECTED_VULNERABLE_PACKAGE: 40 + EXPECTED_DEPENDENCY: 190 jobs: generate-and-load-sbom: @@ -46,8 +49,13 @@ jobs: with: pipelines: "load_sbom" inputs-path: "trivy-report.sbom.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190" + scanpipe verify-project \ + --project scancode-action \ + --packages ${{ env.EXPECTED_PACKAGE }} \ + --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \ + --dependencies ${{ env.EXPECTED_DEPENDENCY }}