Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
a93a46d
init try at settings load
eeisegn May 21, 2026
3d32828
Added --scan-root. Fixed settings loading logic
Alex-1089 May 22, 2026
2ff8271
Fixed path logic and linter issues
Alex-1089 May 26, 2026
ed44614
Updated gha plugin runtimes
Alex-1089 May 26, 2026
e5d4072
Added --scan-root to fingerprinting. Moved dynamic settings file load…
Alex-1089 May 26, 2026
7e336b3
Added --scan-root to dependency, folder_scan and folder_hash. Fixed p…
Alex-1089 May 26, 2026
ea6e658
Added integration tests. Added cli guard.
Alex-1089 May 27, 2026
88a69db
Updated CHANGELOG.md
Alex-1089 May 27, 2026
2a5631d
Merge branch 'main' into feat/alex/SP-4167-improve-settings-file-load
Alex-1089 Jun 5, 2026
c083e57
init try at settings load
eeisegn May 21, 2026
6e19d36
Added --scan-root. Fixed settings loading logic
Alex-1089 May 22, 2026
2cc35ba
Fixed path logic and linter issues
Alex-1089 May 26, 2026
1c2b3a6
Updated gha plugin runtimes
Alex-1089 May 26, 2026
457fa4e
Added --scan-root to fingerprinting. Moved dynamic settings file load…
Alex-1089 May 26, 2026
4032746
Added --scan-root to dependency, folder_scan and folder_hash. Fixed p…
Alex-1089 May 26, 2026
1fbca05
Added integration tests. Added cli guard.
Alex-1089 May 27, 2026
d1af8ae
Updated CHANGELOG.md
Alex-1089 May 27, 2026
bc325b8
Merge remote-tracking branch 'origin/feat/alex/SP-4167-improve-settin…
Alex-1089 Jul 6, 2026
1c99c28
Added missing filter path logic to dependency scanning. Added --setti…
Alex-1089 Jul 7, 2026
e4fb005
SP-4482: honor Retry-After on rate-limit responses instead of aborting
isasmendiagus Jun 24, 2026
c3f9e2d
SP-4489: distinguish 429 rate limit from 503 outage; stop misreportin…
isasmendiagus Jul 7, 2026
098efd4
chore: bump version to 1.53.2 and update CHANGELOG
isasmendiagus Jul 7, 2026
50f2854
init try at settings load
eeisegn May 21, 2026
2274e90
Rebased branch with main
Alex-1089 May 22, 2026
3629f54
Fixed path logic and linter issues
Alex-1089 May 26, 2026
29fd7e6
Updated gha plugin runtimes
Alex-1089 May 26, 2026
4c0176a
Added --scan-root to fingerprinting. Moved dynamic settings file load…
Alex-1089 May 26, 2026
ba514ca
Added --scan-root to dependency, folder_scan and folder_hash. Fixed p…
Alex-1089 May 26, 2026
2c6acd7
Added integration tests. Added cli guard.
Alex-1089 May 27, 2026
0f2ed9e
Updated CHANGELOG.md
Alex-1089 May 27, 2026
d6990f9
init try at settings load
eeisegn May 21, 2026
d69142c
Added --scan-root. Fixed settings loading logic
Alex-1089 May 22, 2026
8bf9227
Fixed path logic and linter issues
Alex-1089 May 26, 2026
5111381
Added missing filter path logic to dependency scanning. Added --setti…
Alex-1089 Jul 7, 2026
e083689
Merge remote-tracking branch 'origin/feat/alex/SP-4167-improve-settin…
Alex-1089 Jul 7, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 18 additions & 7 deletions .github/workflows/container-local-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@ jobs:

steps:
- name: Checkout Repository
uses: actions/checkout@v4
uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/container-local-test.yml"

echo "== File = $FILE =="
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

echo "== Lines 1-120 =="
nl -ba "$FILE" | sed -n '1,140p'

echo "== Extract uses: entries (with line numbers) =="
nl -ba "$FILE" | rg -n "uses:\s" || true

echo "== Specific requested lines (24,28,41,46,57,68) =="
for L in 24 28 41 46 57 68; do
  echo "-- line $L --"
  nl -ba "$FILE" | sed -n "${L}p"
done

Repository: scanoss/scanoss.py

Length of output: 198


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/container-local-test.yml"

echo "== ls workspace =="
ls -la .github/workflows || true
echo

echo "== sanity check =="
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi
echo "Found: $FILE"
echo

echo "== show first 120 lines (numbered via awk) =="
awk '{printf "%d:%s\n", NR, $0}' "$FILE" | sed -n '1,140p'
echo

echo "== extract all uses: lines (with line numbers) =="
awk '/uses:/{printf "%d:%s\n", NR, $0}' "$FILE"
echo

echo "== print requested lines =="
for L in 24 28 41 46 57 68; do
  echo "-- line $L --"
  sed -n "${L}p" "$FILE" | cat
done

Repository: scanoss/scanoss.py

Length of output: 5234


Pin GitHub Actions uses: references to immutable commit SHAs

These steps are tag-pinned (@v6/@v4/@v7) in .github/workflows/container-local-test.yml (lines 24, 28, 41, 46, 57, 68), which leaves the workflow exposed to upstream tag retargeting. Pin them to full commit SHAs for the same actions.

Suggested hardening pattern
- uses: actions/checkout@v6
+ uses: actions/checkout@<full_commit_sha>

- uses: actions/setup-python@v6
+ uses: actions/setup-python@<full_commit_sha>

- uses: docker/setup-buildx-action@v4
+ uses: docker/setup-buildx-action@<full_commit_sha>

- uses: docker/build-push-action@v7
+ uses: docker/build-push-action@<full_commit_sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/container-local-test.yml at line 24, Replace all
tag-pinned GitHub Action references (e.g., the literal string "uses:
actions/checkout@v6" and the other "uses: ...@v4" / "...@v7" entries) with the
corresponding action pinned to a full commit SHA; locate each "uses:" line in
the workflow (the ones ending with `@v6`, `@v4`, `@v7`) and update them to the full
immutable commit SHA from the upstream action repository release you intend to
use (copy the commit SHA from the action's GitHub tags/releases and substitute
it in place of the tag).


# Setup and build the python package
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: "3.9.x"

Expand All @@ -38,12 +38,12 @@ jobs:
run: make dist

- name: Setup Docker buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@v4

# Build Docker image with Buildx - Base
- name: Build Docker Image - No Entrypoint
id: build-no-ep
uses: docker/build-push-action@v5
uses: docker/build-push-action@v7
with:
context: .
push: false
Expand All @@ -54,7 +54,7 @@ jobs:
# Build Docker image with Buildx - Jenkins
- name: Build Docker Image - Jenkins
id: build-je
uses: docker/build-push-action@v5
uses: docker/build-push-action@v7
with:
context: .
push: false
Expand All @@ -65,7 +65,7 @@ jobs:
# Build Docker image with Buildx - Entrypoint
- name: Build Docker Image - With Entrypoint
id: build-with-ep
uses: docker/build-push-action@v5
uses: docker/build-push-action@v7
with:
context: .
push: false
Expand All @@ -91,17 +91,28 @@ jobs:
docker image ls -a
docker run ${{ env.IMAGE_NAME }} version
docker run ${{ env.IMAGE_NAME }} utils fast
echo "Running file scan on tests"
docker run -e SCANOSS_API_KEY="${{ secrets.SC_API_KEY }}" -v "$(pwd)":"/scanoss" ${{ env.IMAGE_NAME }} scan -o results.json tests
id_count=$(cat results.json | grep '"id":' | wc -l)
echo "ID Count: $id_count"
if [[ $id_count -lt 1 ]]; then
echo "Error: Scan test did not produce any results. Failing"
exit 1
fi
echo "Running fingerprinting on tests"
docker run -v "$(pwd)":"/scanoss" ${{ env.IMAGE_NAME }} wfp --skip-headers -o fingers.wfp tests
wfp_count=$(cat fingers.wfp | grep 'file=' | wc -l)
echo "WFP Count: $wfp_count"
if [[ $wfp_count -lt 1 ]]; then
echo "Error: WFP test did not produce any results. Failing"
exit 1
fi
fi
echo "Running dependency scan on tests"
docker run -e SCANOSS_API_KEY="${{ secrets.SC_API_KEY }}" -v "$(pwd)":"/scanoss" ${{ env.IMAGE_NAME }} scan --dependencies-only -o results.json tests
dep_count=$(python3 -c "import json,sys; d=json.load(open('results.json')); print(sum(len(v.get('dependencies',[])) for f in d.values() for v in f))" 2>/dev/null || echo 0)
echo "Dependency count: $dep_count"
if [[ $dep_count -lt 1 ]]; then
echo "Error: Dependency scan did not find any dependencies. Failing"
exit 1
fi

20 changes: 10 additions & 10 deletions .github/workflows/container-publish-ghcr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ jobs:

steps:
- name: Checkout Repository
uses: actions/checkout@v4
uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/container-publish-ghcr.yml"
echo "== File = $FILE =="
wc -l "$FILE"

echo
echo "== uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true

echo
echo "== Check referenced line ranges (27,31,45,50,63,70,85,92,107,114) =="
python3 - <<'PY'
import itertools, re, pathlib
p=pathlib.Path(".github/workflows/container-publish-ghcr.yml")
lines=p.read_text().splitlines()
targets=[27,31,45,50,63,70,85,92,107,114]
for t in targets:
    i=t-1
    if 0<=i<len(lines):
        print(f"--- line {t} ---")
        for j in range(max(0,i-2), min(len(lines), i+3)):
            mark=">>" if j==i else "  "
            print(f"{mark}{j+1:4d}: {lines[j]}")
PY

Repository: scanoss/scanoss.py

Length of output: 3045


Pin immutable SHA GitHub Actions in this publish workflow.

All uses: refs in .github/workflows/container-publish-ghcr.yml are still on mutable major tags (actions/checkout@v6, actions/setup-python@v6, docker/setup-qemu-action@v4, docker/setup-buildx-action@v4, docker/metadata-action@v6, docker/build-push-action@v7). Pin each to a full commit SHA (the pinned SHA shown for docker/setup-buildx-action is only commented out).
Lines: 27, 31, 45, 50, 63, 70, 85, 92, 107, 114

🧰 Tools
🪛 zizmor (1.25.2)

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/container-publish-ghcr.yml at line 27, Pin every GitHub
Action reference in the workflow to an immutable commit SHA instead of mutable
major tags: replace actions/checkout@v6, actions/setup-python@v6,
docker/setup-qemu-action@v4, docker/setup-buildx-action@v4,
docker/metadata-action@v6, docker/build-push-action@v7 (and the other listed
uses entries) with their corresponding full commit SHAs retrieved from each
action's repo, and ensure the already-commented pinned SHA for
docker/setup-buildx-action is applied; update each uses: line to the exact
"owner/repo@<full-commit-sha>" form so the workflow is deterministic.


# Setup and build python package
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.9.x'

Expand All @@ -42,12 +42,12 @@ jobs:

# Add support for more platforms with QEMU
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@v4

# Workaround: https://github.com/docker/build-push-action/issues/461
# uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@v4

# Login against a Docker registry except on PR
- name: Log into registry ${{ env.REGISTRY }}
Expand All @@ -60,14 +60,14 @@ jobs:
# Extract metadata (tags, labels) for Docker
- name: Extract Docker metadata - no entrypoint
id: meta-ne
uses: docker/metadata-action@v4
uses: docker/metadata-action@v6
with:
images: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME_BASE }}"

# Build and push Docker image with Buildx (don't push on PR)
- name: Build and push Docker image - Base (no entrypoint)
id: build-and-push-ne
uses: docker/build-push-action@v5
uses: docker/build-push-action@v7
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
Expand All @@ -82,14 +82,14 @@ jobs:
# Extract metadata (tags, labels) for Docker
- name: Extract Docker metadata - jenkins
id: meta-je
uses: docker/metadata-action@v4
uses: docker/metadata-action@v6
with:
images: "${{ env.REGISTRY }}/${{ env.IMAGE_JENKINS }}"

# Build and push Docker image with Buildx (don't push on PR)
- name: Build and push Docker image - Jenkins
id: build-and-push-je
uses: docker/build-push-action@v5
uses: docker/build-push-action@v7
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
Expand All @@ -104,14 +104,14 @@ jobs:
# Extract metadata (tags, labels) for Docker
- name: Extract Docker metadata - entrypoint
id: meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@v6
with:
images: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"

# Build and push Docker image with Buildx (don't push on PR)
- name: Build and push Docker image - EP (entrypoint)
id: build-and-push
uses: docker/build-push-action@v5
uses: docker/build-push-action@v7
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@ jobs:

steps:
- name: Checkout Code
uses: actions/checkout@v3
uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@v4
uses: actions/setup-python@v6
with:
python-version: "3.9"

Expand Down
18 changes: 15 additions & 3 deletions .github/workflows/python-local-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin actions/checkout to an immutable commit SHA
.github/workflows/python-local-test.yml line 23 still uses the mutable tag actions/checkout@v6. Update the uses: value to the corresponding commit SHA.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 23-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-local-test.yml at line 23, Replace the mutable tag
"actions/checkout@v6" with the corresponding immutable commit SHA: locate the
actions/checkout repository tag v6 on GitHub, copy the commit SHA for that tag,
and update the workflow's uses line to "actions/checkout@<COMMIT_SHA>" so the
workflow references the exact commit instead of the moving tag; ensure you
replace the value in the uses: entry that currently reads actions/checkout@v6.


- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: "3.9.x"

Expand All @@ -36,7 +36,7 @@ jobs:
run: make dist

- name: Install Test Package
uses: nick-fields/retry@v3
uses: nick-fields/retry@v4
with:
timeout_minutes: 2
retry_wait_seconds: 10
Expand Down Expand Up @@ -103,6 +103,18 @@ jobs:
exit 1
fi

- name: Run Tests HPFM
run: |
which scanoss-py
scanoss-py version
scanoss-py fh -o hpfm-hashes.json tests
hash_names=$(cat hpfm-hashes.json | grep 'sim_hash_names')
echo "Sim Hash: $hash_names"
if [ "$hash_names" = "" ]; then
echo "Error: Folder hash failed to generate HPFM hashes. Failing."
exit 1
fi
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Run Unit Tests
run: |
python -m unittest
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/python-publish-pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Release workflow actions must be SHA-pinned.

.github/workflows/python-publish-pypi.yml uses non-SHA floating refs in uses: across the publish/release path (not 40-hex commit SHAs): actions/checkout@v6 (17, 82), actions/setup-python@v6 (20, 85), pypa/gh-action-pypi-publish@release/v1 (64), softprops/action-gh-release@v3 (72), nick-fields/retry@v4 (90).

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-publish-pypi.yml at line 17, The workflow uses
floating action refs (actions/checkout@v6, actions/setup-python@v6,
pypa/gh-action-pypi-publish@release/v1, softprops/action-gh-release@v3,
nick-fields/retry@v4) which must be pinned to immutable commit SHAs; update each
uses: entry to reference the corresponding full 40-character commit SHA for the
specific released tag you want to consume (replace e.g. actions/checkout@v6 with
actions/checkout@<commit-sha>), verifying the SHA against the action repo
release/tag and keeping the tag name in a comment if helpful.


- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.9.x'

Expand Down Expand Up @@ -69,7 +69,7 @@ jobs:

- name: Create Draft Release ${{ github.ref_type }} - ${{ github.ref_name }}
if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v')
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@v3
with:
draft: true
files: dist/*
Expand All @@ -79,15 +79,15 @@ jobs:
needs: [deploy]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.9.x'

- name: Install Remote Package
uses: nick-fields/retry@v3
uses: nick-fields/retry@v4
with:
timeout_minutes: 3
retry_wait_seconds: 10
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/python-publish-testpypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/python-publish-testpypi.yml"
echo "== File: $FILE =="
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE"
  exit 1
fi

# Show file with line numbers
nl -ba "$FILE" | sed -n '1,120p'

echo
echo "== All uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true

echo
echo "== uses: lines with actions/checkout@ or actions/* around likely lines =="
nl -ba "$FILE" | awk '($2 ~ /uses:/) {print}'

Repository: scanoss/scanoss.py

Length of output: 182


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/python-publish-testpypi.yml"
echo "== File: $FILE =="

if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE"
  exit 1
fi

echo "== File first 120 lines (with line numbers via cat -n) =="
cat -n "$FILE" | sed -n '1,120p'

echo
echo "== All uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true

echo
echo "== uses: lines with actions/checkout@ or other actions/* (context) =="
rg -n "^\s*uses:\s*actions/" "$FILE" || true

echo
echo "== Exact lines 10-25, 60-75 for the originally referenced locations =="
awk 'NR>=10 && NR<=25 {printf "%6d  %s\n", NR, $0} NR>=60 && NR<=75 {printf "%6d  %s\n", NR, $0}' "$FILE"

Repository: scanoss/scanoss.py

Length of output: 5336


Pin GitHub Actions to immutable commit SHAs in TestPyPI workflow (avoid @v*/tags): update actions/checkout@v6 (lines 16, 66), actions/setup-python@v6 (lines 19, 69), and pypa/gh-action-pypi-publish@release/v1 (line 53) to full commit SHAs.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-publish-testpypi.yml at line 16, Workflow uses
mutable action tags; replace actions/checkout@v6, actions/setup-python@v6, and
pypa/gh-action-pypi-publish@release/v1 with their corresponding full commit SHAs
to pin to immutable revisions: locate the three usages of actions/checkout@v6,
actions/setup-python@v6 (two occurrences), and
pypa/gh-action-pypi-publish@release/v1 in the TestPyPI workflow and replace each
tag with the exact commit SHA from the action repository (ensure you copy the
full 40-character SHA), then verify the workflow file's YAML remains valid and
run the workflow to confirm success.


- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.9.x'

Expand Down Expand Up @@ -63,10 +63,10 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.9.x'

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scanoss.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/scanoss.yml"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

nl -ba "$FILE" | sed -n '1,120p'

Repository: scanoss/scanoss.py

Length of output: 106


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/scanoss.yml"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

# Print around the referenced lines (23 and 27)
cat -n "$FILE" | sed -n '15,40p'

Repository: scanoss/scanoss.py

Length of output: 594


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/scanoss.yml"
rg -n '^\s*uses:\s*' "$FILE" || true

Repository: scanoss/scanoss.py

Length of output: 141


Pin checkout and SCANOSS action refs to immutable commit SHAs.

In .github/workflows/scanoss.yml, actions/checkout@v6 (line 23) and scanoss/gha-code-scan@v1 (line 27) are still tag-based; pin both uses: references to full commit SHAs.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scanoss.yml at line 23, Replace tag-based action refs with
immutable commit SHAs: update the two uses: entries that reference
actions/checkout@v6 and scanoss/gha-code-scan@v1 to point to their corresponding
full commit SHA values (replace the tag with the specific commit hash) so the
workflow pins to exact revisions; locate the uses lines for
"actions/checkout@v6" and "scanoss/gha-code-scan@v1" in the scanoss.yml and
substitute each tag with the verified commit SHA for that action.


- name: Run SCANOSS Code Scan
id: scanoss-code-scan-step
uses: scanoss/code-scan-action@v1
uses: scanoss/gha-code-scan@v1
with:
policies: undeclared
api.url: https://api.scanoss.com/scan/direct
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/version-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,13 @@ jobs:
version-tagging:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the workflow file
ls -la .github/workflows/version-tag.yml

# Print relevant sections around the cited lines
nl -ba .github/workflows/version-tag.yml | sed -n '1,120p'

Repository: scanoss/scanoss.py

Length of output: 206


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Workflow file ==="
ls -la .github/workflows/version-tag.yml

echo "=== Lines 1-120 (with numbers via cat -n) ==="
cat -n .github/workflows/version-tag.yml | sed -n '1,120p'

echo "=== Grep for checkout/setup-python and token/persist-credentials ==="
rg -n "uses:\s*(actions/checkout|actions/setup-python)|token:\s*\$\{\{\s*secrets\.|persist-credentials:" .github/workflows/version-tag.yml || true

Repository: scanoss/scanoss.py

Length of output: 1774


🌐 Web query:

actions/checkout persist-credentials default value

💡 Result:

The default value for the persist-credentials input in the actions/checkout GitHub Action is true [1][2][3]. When set to true (the default), the action configures the repository's local Git configuration (.git/config) with the credentials (such as the GITHUB_TOKEN or a provided SSH key) used to perform the checkout [1][3][4]. This allows subsequent steps in the workflow to execute authenticated Git commands using those credentials [1][4]. Because this behavior can potentially expose credentials to other steps or if artifacts are improperly handled, it is a common security best practice to set persist-credentials: false in workflows that do not require the ability to push changes or perform authenticated Git operations [5][6][7].

Citations:


Pin checkout/setup-python to immutable SHAs and explicitly manage checkout credential persistence.

  • actions/checkout@v6 (line 19) and actions/setup-python@v6 (line 24) use floating major tags; pin both to commit SHAs.
  • Checkout passes token: ${{ secrets.SC_GH_TAG_TOKEN }} (line 22) while persist-credentials is left unset; actions/checkout defaults persist-credentials: true, so the token is written into local git config. Since the workflow later runs git push --tags, set persist-credentials explicitly and limit/configure credentials only for the push step.
      - uses: actions/checkout@v6

Also applies to: 24-24

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 19-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/version-tag.yml at line 19, The workflow uses floating
tags for actions and leaves checkout credentials implicit: replace uses:
actions/checkout@v6 and uses: actions/setup-python@v6 with their immutable
commit SHAs (pin both to specific commit refs) and explicitly set
actions/checkout persist-credentials to false in the checkout step; then create
a dedicated git-auth step that calls actions/checkout or configures git with
token: ${{ secrets.SC_GH_TAG_TOKEN }} only for the push step (or set
persist-credentials true only in that single push-related checkout), ensuring
the token is not written into local git config for earlier steps.

with:
fetch-depth: "0"
token: ${{ secrets.SC_GH_TAG_TOKEN }}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.9.x'
- name: Determine Tag
Expand All @@ -34,9 +35,12 @@ jobs:
- name: Apply Tag
if: ${{ inputs.run_for_real }}
id: taggerApply
env:
TAG_TOKEN: ${{ secrets.SC_GH_TAG_TOKEN }}
run: |
echo "Applying tag ${{env.package_app_version}} ..."
git tag "${{env.package_app_version}}"
echo "Pushing changes..."
git remote set-url origin "https://x-access-token:${TAG_TOKEN}@github.com/${{ github.repository }}"
git push --tags

15 changes: 15 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [1.54.0] - 2026-07-07
### Added
- Added `--scan-root` to specify the scan root to load scanoss.json from (Commands: `scan`, `wfp`, `dependencies`, `folder-scan`, `folder-hash`)
- Added a priority list for loading scanoss.json (1. --settings 2. Scan directory (`--scan-root` if specified) 3. CWD)

## [1.53.2] - 2026-07-07
### Fixed
- No longer reports every HTTP 503 as "service limits being exceeded", which misled users into thinking they had hit a rate limit during unrelated service outages. Rate limits (HTTP 429) are now distinguished from generic service unavailability (HTTP 503), and the actual server response body is surfaced in the error message.
### Changed
- Honour the `Retry-After` header on HTTP 429/503 responses, retrying with backoff (capped at 60s) instead of aborting immediately on the first 503

## [1.53.1] - 2026-06-04
### Added
- Added `--apiurl` option to the `folder-scan` command to configure a custom SCANOSS API base URL (consistent with the `scan` command)
Expand Down Expand Up @@ -894,3 +907,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
[1.52.1]: https://github.com/scanoss/scanoss.py/compare/v1.52.0...v1.52.1
[1.53.0]: https://github.com/scanoss/scanoss.py/compare/v1.52.1...v1.53.0
[1.53.1]: https://github.com/scanoss/scanoss.py/compare/v1.53.0...v1.53.1
[1.53.2]: https://github.com/scanoss/scanoss.py/compare/v1.53.1...v1.53.2
[1.54.0]: https://github.com/scanoss/scanoss.py/compare/v1.53.2...v1.54.0
2 changes: 1 addition & 1 deletion src/scanoss/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@
THE SOFTWARE.
"""

__version__ = '1.53.1'
__version__ = '1.54.0'
Loading