Run ScanCode.io pipelines from your Workflows.
[!IMPORTANT] The scancode-action is currently in the alpha stage, and we invite you to contribute to its improvement. Please feel free to submit bug reports or share your ideas by creating new entries in the "Issues" section. Your collaboration helps us enhance the action and ensures a more stable and effective tool for the community. Thank you for your support!
steps:
- uses: actions/checkout@v4
with:
path: scancode-inputs
- uses: nexB/scancode-action@alpha
with:
pipelines: 'scan_codebase'
output-formats: 'json xlsx spdx cyclonedx'
- uses: nexB/scancode-action@alpha
with:
# Names of the pipelines (comma-separated) and in order.
# Default is 'scan_codebase'
pipelines:
# The list of output formats to generate.
# Default is 'json xlsx spdx cyclonedx'
output-formats:
# Relative path within the $GITHUB_WORKSPACE for pipeline inputs.
# Default is 'scancode-inputs'
inputs-path:
# Provide one or more URLs to download for the pipeline run execution
input-urls:
# Name of the project.
# Default is 'scancode-action'
project-name:
# Name of the outputs archive.
# Default is 'scancode-outputs'
outputs-archive-name:
# Python version that will be installed to run ScanCode.io
# Default is '3.11'
python-version:
See https://github.com/aboutcode-org/scancode-action/tree/main/.github/workflows for Workflows examples.
steps:
- uses: actions/checkout@v4
with:
path: scancode-inputs
- uses: nexB/scancode-action@alpha
- uses: nexB/scancode-action@alpha
with:
pipelines: 'scan_codebase'
- uses: nexB/scancode-action@alpha
with:
pipelines: 'scan_codebase,find_vulnerabilities'
env:
VULNERABLECODE_URL: https://public.vulnerablecode.io/
The find_vulnerabilities
pipeline requires access to a VulnerableCode
instance, which can be defined using the VULNERABLECODE_URL
environment
variable.
In the example provided, a public instance is referenced. However, you also have the option to run your own VulnerableCode instance. For details on setting up and configuring your own instance, please refer to the VulnerableCode documentation.
- uses: nexB/scancode-action@alpha
with:
output-formats: 'json xlsx spdx cyclonedx'
- uses: nexB/scancode-action@alpha
with:
pipelines: 'map_deploy_to_develop'
input-urls:
https://domain.url/source.zip#from https://domain.url/binaries.zip#to
- name: Download repository archive to scancode-inputs/ directory
run: |
wget --directory-prefix=scancode-inputs https://github.com/${GITHUB_REPOSITORY}/archive/${GITHUB_REF}.zip
- uses: nexB/scancode-action@alpha
with:
pipelines: 'scan_single_package'
- uses: nexB/scancode-action@alpha
with:
project-name: 'my-project-name'
Upon completion of the workflow, you can find the scan results in the
dedicated artifacts section at the bottom of the workflow summary page. Look
for a file named scancode-outputs
in that section. This file contains the
outputs generated by the scancode-action
.