From a74eac56c4586553f80fb3b2062e0141434e710d Mon Sep 17 00:00:00 2001
From: Johannes Faltermeier <jfaltermeier@eclipsesource.com>
Date: Mon, 25 Aug 2025 11:11:25 +0200
Subject: [PATCH] Add SCANOSS baseline workflow

* introduce GitHub Actions workflow
`.github/workflows/scanoss-license-check.yml`
* run SCANOSS code scan without policies for baseline collection
* save raw results as artifact `scanoss-baseline-results`
---
 .github/workflows/scanoss-license-check.yml | 38 +++++++++++++++++++
 .scanoss.json                               | 41 +++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 .github/workflows/scanoss-license-check.yml
 create mode 100644 .scanoss.json

diff --git a/.github/workflows/scanoss-license-check.yml b/.github/workflows/scanoss-license-check.yml
new file mode 100644
index 00000000..e48e0017
--- /dev/null
+++ b/.github/workflows/scanoss-license-check.yml
@@ -0,0 +1,38 @@
+name: SCANOSS PR Scan
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  #  pull-requests: write
+  checks: write
+  actions: read
+
+jobs:
+  baseline:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run SCANOSS
+        id: scan
+        uses: scanoss/code-scan-action@7da0dbb413e636a18f262a4d930f72fab12cc80d # v1.4.0
+        with:
+          dependencies.enabled: false
+          policies: undeclared
+          policies.halt_on_failure: true
+          scanossSettings: true
+          settingsFilepath: .scanoss.json
+
+      - name: Save raw results
+        run: |
+          echo "Results at: ${{ steps.scan.outputs.result-filepath }}"
+          cp "${{ steps.scan.outputs.result-filepath }}" scanoss-results.json
+
+      - name: Upload results
+        uses: actions/upload-artifact@v4
+        with:
+          name: scanoss-baseline-results
+          path: scanoss-results.json
diff --git a/.scanoss.json b/.scanoss.json
new file mode 100644
index 00000000..f3aabe09
--- /dev/null
+++ b/.scanoss.json
@@ -0,0 +1,41 @@
+{
+  "self": {
+    "name": "theia-cloud",
+    "license": "EPL-2.0",
+    "description": "SCANOSS configuration for Theia Cloud"
+  },
+  "settings": {
+    "skip": {
+      "patterns": {
+        "scanning": [
+          "**/node_modules/",
+          "**/dist/",
+          "**/build/",
+          "**/target/",
+          "**/*.min.*",
+          "**/*.generated.*",
+          "**/*.graphml",
+          "**/*.vsix",
+          "documentation/**"
+        ],
+        "fingerprinting": ["*.log", "*.tmp", "**/*test*.*"]
+      }
+    }
+  },
+  "bom": {
+    "include": [
+      { "purl": "pkg:github/eclipsesource/theia-cloud" },
+      { "purl": "pkg:github/eclipse-theia/theia-cloud" },
+      { "purl": "pkg:npm/%40eclipse-theiacloud/common" },
+      { "purl": "pkg:npm/theiacloud-test" }
+    ],
+    "remove": [
+      {
+        "path": "demo/dockerfiles/demo-theia-monitor-vscode/theia-cloud-monitor-1.1.1.vsix",
+        "purl": "pkg:github/eclipse-theia/theia-cloud",
+        "comment": "Build artifact; suppress baseline finding"
+      }
+    ],
+    "replace": []
+  }
+}