This repository serves as an example to demonstrate how to use the SCANOSS GitHub Action for license management in your projects. SCANOSS provides two predefined policies for scanning: copyleft and undeclared.
The repository is structured into two branches to showcase different scenarios:
-
main: Demonstrates a scenario where the codebase comply with the policies:- No copyleft licenses are found within the codebase.
- All components are correctly declared in the
sbom.jsonfile.
-
policy/violations: Illustrates the case where the codebase does not comply with the policies. You can find the failing PR here.- Introduction of copyleft licenses.
- Usage of components that are not declared in the
sbom.json.
- Copyleft: This policy scans your code for copyleft licenses. If no copyleft licenses are identified, the check passes. Otherwise, it fails, indicating non-compliance.
- Undeclared: Requires the explicit declaration of all utilized components within a
sbom.jsonfile. Failure to declare any component results in a failed check, highlighting undeclared usage.
To use the SCANOSS GitHub Action in your project, you can add a workflow file under .github/workflows with the following basic setup:
name: Example SCANOSS Action
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions:
contents: read
pull-requests: write
checks: write
jobs:
scanoss-analysis:
name: SCANOSS Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
id: checkout
uses: actions/checkout@v4
- name: Run SCANOSS analysis
id: scan
uses: scanoss/actions-scan@v0
with:
policies: copyleft, undeclared