SolaceDev · johnvincentcorpuz · Mar 3, 2026 · Mar 2, 2026 · Mar 3, 2026 · Mar 3, 2026
diff --git a/.github/workflows/docs/container-scan-and-guard.md b/.github/workflows/docs/container-scan-and-guard.md
@@ -313,6 +313,7 @@ jobs:
 
 ## Related Documentation
 
+- [SCA Setup Dependencies](../../../sca-setup-deps/README.md) — Set up build environments (Java, Node, Python, .NET) before source-code SCA scanning
 - [Workflow Config Loader](../../../workflow-config-loader/README.md)
 - [Container Scan Action](../../../container/container-scan/README.md)
 - [Container FOSSA Scan](../../../container/fossa-scan/README.md)

diff --git a/.github/workflows/docs/sca-scan-and-guard.md b/.github/workflows/docs/sca-scan-and-guard.md
@@ -89,6 +89,8 @@ jobs:
 
 ## Inputs
 
+### Core Inputs
+
 | Input | Required | Default | Description |
 |-------|----------|---------|-------------|
 | `git_ref` | No | (empty) | Git ref to checkout (e.g., `0.0.269` for releases). Leave empty for PR context. |
@@ -99,12 +101,35 @@ jobs:
 | `config_file` | No | `.github/workflow-config.json` | Path to workflow configuration file |
 | `additional_scan_params` | No | (empty) | Additional scanner-specific parameters (see below) |
 
+### Dependency Setup Inputs
+
+These inputs configure the build environment before FOSSA runs. See [SCA Setup Dependencies](../../../sca-setup-deps/README.md) for full documentation.
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `setup_actions` | No | `'["setup-java", "maven-settings"]'` | JSON array of setup steps to run |
+| `vault_secrets` | No | (empty) | Multiline Vault secret mappings (`secret/path KEY \| ENV_VAR`) |
+| `custom_setup_script` | No | (empty) | Bash script for build/install commands (e.g. `mvn clean install -DskipTests`, `npm ci`, `pip install -r requirements.txt`, `dotnet restore`) |
+| `java_version` | No | `"17"` | Java version |
+| `java_distribution` | No | `"temurin"` | Java distribution |
+| `node_version` | No | `"20"` | Node.js version |
+| `npm_registry_url` | No | `"https://npm.pkg.github.com"` | NPM registry URL |
+| `python_version` | No | `"3.10"` | Python version |
+| `uv_version` | No | latest | uv version to install |
+| `dotnet_versions` | No | `"6.0.x"` | .NET SDK versions |
+| `nuget_source_url` | No | (empty) | NuGet source URL to add |
+| `maven_settings_repositories` | No | (empty) | Maven repositories configuration (JSON) |
+| `maven_settings_servers` | No | (empty) | Maven servers configuration (JSON) |
+
 ## Secrets
 
 | Secret | Required | Description |
 |--------|----------|-------------|
 | `FOSSA_API_KEY` | Conditional | Required if `use_vault` is `false` |
-| `VAULT_ROLE` | No | Vault role for JWT authentication (defaults to `cicd-workflows-secret-read-role`) |
+| `VAULT_URL` | No | Vault URL (defaults to config file value) |
+| `VAULT_ROLE` | No | Vault role for JWT authentication (defaults to config file value) |
+| `NPM_AUTH_TOKEN` | No | Auth token for private NPM registry (defaults to `GITHUB_TOKEN`) |
+| `NUGET_AUTH_TOKEN` | No | Auth token for private NuGet feed (defaults to `GITHUB_TOKEN`) |
 
 ## Configuration File
 
@@ -178,6 +203,95 @@ additional_scan_params: |
 
 **See**: [FOSSA Scan Action](../../../.github/actions/sca/fossa-scan/README.md) for full parameter list
 
+## Dependency Setup
+
+Before FOSSA scans your project, the workflow runs the `sca-setup-deps` composite action to prepare the build environment so that all dependencies are resolvable. You control which setup steps run via the `setup_actions` JSON array.
+
+**Full documentation**: [SCA Setup Dependencies](../../../sca-setup-deps/README.md)
+
+### Java / Maven (Default)
+
+Maven setup runs by default with no extra configuration:
+
+```yaml
+jobs:
+  sca-scan:
+    uses: SolaceDev/solace-public-workflows/.github/workflows/sca-scan-and-guard.yaml@main
+    with:
+      use_vault: true
+      # setup_actions defaults to '["setup-java", "maven-settings"]'
+```
+
+### Node / NPM
+
+```yaml
+jobs:
+  sca-scan:
+    uses: SolaceDev/solace-public-workflows/.github/workflows/sca-scan-and-guard.yaml@main
+    with:
+      use_vault: true
+      setup_actions: '["setup-node", "npm-config"]'
+      node_version: "18"
+```
+
+### Python
+
+```yaml
+jobs:
+  sca-scan:
+    uses: SolaceDev/solace-public-workflows/.github/workflows/sca-scan-and-guard.yaml@main
+    with:
+      use_vault: true
+      setup_actions: '["setup-python", "python-install"]'
+      python_version: "3.11"
+```
+
+### .NET
+
+```yaml
+jobs:
+  sca-scan:
+    uses: SolaceDev/solace-public-workflows/.github/workflows/sca-scan-and-guard.yaml@main
+    with:
+      use_vault: true
+      setup_actions: '["setup-dotnet", "dotnet-nuget-config", "dotnet-restore"]'
+      dotnet_versions: "8.0.x"
+```
+
+### Custom Setup Script
+
+```yaml
+jobs:
+  sca-scan:
+    uses: SolaceDev/solace-public-workflows/.github/workflows/sca-scan-and-guard.yaml@main
+    with:
+      use_vault: true
+      setup_actions: '["setup-java", "maven-settings", "custom-script"]'
+      custom_setup_script: |
+        echo "Generating protobuf sources..."
+        mvn generate-sources -pl proto-module
+```
+
+### Retrieving Build Credentials from Vault
+
+Use `vault_secrets` to inject credentials needed for private registries or repositories:
+
+```yaml
+jobs:
+  sca-scan:
+    uses: SolaceDev/solace-public-workflows/.github/workflows/sca-scan-and-guard.yaml@main
+    with:
+      use_vault: true
+      setup_actions: '["setup-java", "maven-settings", "maven-build"]'
+      vault_secrets: |
+        secret/data/nexus USERNAME | NEXUS_USERNAME
+        secret/data/nexus PASSWORD | NEXUS_PASSWORD
+      maven_settings_servers: |
+        [{"id": "central", "username": "${env.NEXUS_USERNAME}", "password": "${env.NEXUS_PASSWORD}"}]
+```
+
+Alternatively, configure `secret_mappings` in your `workflow-config.json` to avoid passing `vault_secrets` each time. See [SCA Setup Dependencies](../../../sca-setup-deps/README.md#vault-secret-mappings) for details.
+
 ## Scan Contexts
 
 The workflow automatically detects the scan context:
@@ -388,6 +502,7 @@ jobs:
 
 ## Related Documentation
 
+- [SCA Setup Dependencies](../../../sca-setup-deps/README.md)
 - [Workflow Config Loader](../../../workflow-config-loader/README.md)
 - [SCA Scan Action](../../../.github/actions/sca/sca-scan/README.md)
 - [FOSSA Scan Action](../../../.github/actions/sca/fossa-scan/README.md)

diff --git a/.github/workflows/sca-scan-and-guard.yaml b/.github/workflows/sca-scan-and-guard.yaml
@@ -57,7 +57,13 @@ on:
         type: string
         default: ''
       custom_setup_script:
-        description: "Custom setup script to execute before scan"
+        description: |
+          Custom setup script to execute before scan. Use this to run build or install commands, e.g.:
+            mvn clean install -DskipTests
+            npm ci
+            pip install -r requirements.txt
+            uv export --format requirements-txt --no-dev --output-file requirements.txt
+            dotnet restore
         required: false
         type: string
         default: ''
@@ -68,43 +74,41 @@ on:
         required: false
         type: string
         default: "17"
+      java_distribution:
+        description: "Java distribution (default: 'temurin')"
+        required: false
+        type: string
+        default: ''
       node_version:
         description: "Node version"
         required: false
         type: string
         default: "20"
+      npm_registry_url:
+        description: "NPM registry URL (default: 'https://npm.pkg.github.com')"
+        required: false
+        type: string
+        default: ''
       python_version:
         description: "Python version"
         required: false
         type: string
         default: "3.10"
+      uv_version:
+        description: "uv version to install (default: latest)"
+        required: false
+        type: string
+        default: ''
       dotnet_versions:
         description: ".NET versions (e.g. 6.0.x)"
         required: false
         type: string
         default: "6.0.x"
-
-      # Build/Install Commands
-      maven_build_command:
-        description: "Maven build command"
-        required: false
-        type: string
-        default: "mvn clean install -DskipTests"
-      npm_install_command:
-        description: "NPM install command"
-        required: false
-        type: string
-        default: "npm install"
-      python_install_command:
-        description: "Python install command"
+      nuget_source_url:
+        description: "NuGet source URL to add"
         required: false
         type: string
-        default: "pip install -r requirements.txt"
-      dotnet_restore_command:
-        description: ".NET restore command"
-        required: false
-        type: string
-        default: "dotnet restore"
+        default: ''
 
       # Maven Configuration
       maven_settings_repositories:
@@ -128,6 +132,12 @@ on:
       VAULT_ROLE:
         description: 'Vault role for JWT authentication (optional - defaults to config file value)'
         required: false
+      NPM_AUTH_TOKEN:
+        description: 'NPM auth token for private registry access (defaults to GITHUB_TOKEN)'
+        required: false
+      NUGET_AUTH_TOKEN:
+        description: 'NuGet auth token for private feed access (defaults to GITHUB_TOKEN)'
+        required: false
 
 permissions:
   contents: read
@@ -362,21 +372,21 @@ jobs:
 
       - name: Setup SCA Dependencies
         id: setup_deps
-        uses: SolaceDev/solace-public-workflows/sca-setup-deps@main
+        uses: SolaceDev/solace-public-workflows/sca-setup-deps@sca_setup_guard_doc_updates
         with:
           setup_actions: ${{ inputs.setup_actions }}
           java_version: ${{ inputs.java_version }}
+          java_distribution: ${{ inputs.java_distribution }}
           maven_settings_repositories: ${{ inputs.maven_settings_repositories }}
           maven_settings_servers: ${{ inputs.maven_settings_servers }}
-          maven_build_command: ${{ inputs.maven_build_command }}
           node_version: ${{ inputs.node_version }}
-          npm_auth_token: ${{ secrets.GITHUB_TOKEN }}
-          npm_install_command: ${{ inputs.npm_install_command }}
+          npm_registry_url: ${{ inputs.npm_registry_url }}
+          npm_auth_token: ${{ secrets.NPM_AUTH_TOKEN != '' && secrets.NPM_AUTH_TOKEN || github.token }}
           python_version: ${{ inputs.python_version }}
-          python_install_command: ${{ inputs.python_install_command }}
+          uv_version: ${{ inputs.uv_version }}
           dotnet_versions: ${{ inputs.dotnet_versions }}
-          nuget_auth_token: ${{ secrets.GITHUB_TOKEN }}
-          dotnet_restore_command: ${{ inputs.dotnet_restore_command }}
+          nuget_source_url: ${{ inputs.nuget_source_url }}
+          nuget_auth_token: ${{ secrets.NUGET_AUTH_TOKEN != '' && secrets.NUGET_AUTH_TOKEN || github.token }}
           custom_setup_script: ${{ inputs.custom_setup_script }}
       - name: Validate FOSSA API Key
         id: fossa_key