feat(DATAGO-115000): add FOSSA SCA scanning for monorepo plugins #79
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change integrates FOSSA security and compliance scanning into the CI/CD pipeline with per-plugin scanning and shared labeling for organization. ## Changes ### GitHub Actions Workflow - Added FOSSA SCA scan step after build/test phase - Uses GitHub Secrets (secrets.FOSSA_API_KEY) for public repository - Configured per-plugin scanning with fossa.project and fossa.path parameters - Scans run on each plugin independently when changes are detected ### FOSSA Configuration - Created root .fossa.yml for repository-level configuration - Created individual .fossa.yml in each of the 16 plugin directories - Each plugin scans as a separate FOSSA project (e.g., SolaceLabs_sam-slack) - All plugins share 'solace-agent-mesh-core-plugins' label for grouping ### Benefits - Independent dependency tracking per plugin - Centralized compliance view via shared labels - Efficient scanning using sparse checkout - Automated security vulnerability detection 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
johnvincentcorpuz
changed the title
Added FOSSA Guard steps to enforce licensing and security policies in the CI/CD pipeline. ## Changes - Added FOSSA Licensing Guard step - Blocks on license policy conflicts - Mode: BLOCK - Added FOSSA Security Vulnerabilities Guard step - Blocks on critical and high severity vulnerabilities - Mode: BLOCK - Severity levels: critical, high - Pinned GitHub Actions to commit SHAs for security - actions/[email protected] → @11bd71901bbe5b1630ceea73d27597364c9af683 - actions/[email protected] → @8d9ed9ac5c53483de85588cdf95a591a75ab9f55 - actions/[email protected] → @6f8efc29b200d32929f49075959781ed54ec270c - actions/[email protected] → @8558fd74291d67161a8a78ce36a881fa63b766a9 ## Benefits - Automated blocking on license violations - Automated blocking on critical/high security vulnerabilities - Improved supply chain security via SHA-pinned actions - Consistent policy enforcement across all plugins 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
The SolaceDev/solace-public-workflows sca-scan action expects FOSSA_API_KEY to be passed as an environment variable, not just as an input parameter. This fixes the issue where the API key was empty during FOSSA scans. Changes: - Added env.FOSSA_API_KEY to sca-scan step - Added env.FOSSA_API_KEY to both FOSSA Guard steps - Kept fossa_api_key input for Guard actions (required by their interface)
Use fossa_api_key as input parameter (not environment variable) to match working examples from other repositories.
The SolaceDev/solace-public-workflows actions expect:
with:
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
Not as env variable.
The issue was that ci.yaml wasn't passing FOSSA_API_KEY to the build-plugin.yaml reusable workflow. Changes: - Added FOSSA_API_KEY to build-plugin.yaml secrets definition (required: true) - Added FOSSA_API_KEY to ci.yaml secrets passthrough This is required for reusable workflows - secrets must be explicitly declared and passed.
6 tasks
antonysavio-sol
approved these changes
Dec 22, 2025
lgh-solace
approved these changes
Dec 23, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Integrates FOSSA security and compliance analysis (SCA) scanning into the CI/CD pipeline with per-plugin scanning and shared labeling for organization.
Changes
🔧 GitHub Actions Workflow
Modified:
.github/workflows/build-plugin.yamlSolaceDev/solace-public-workflowssecrets.FOSSA_API_KEY) for public repositoryfossa.projectandfossa.pathparameters📋 FOSSA Configuration
Root configuration:
.fossa.ymlSolaceLabs_solace-agent-mesh-core-pluginssolaceai,repository,solace-agent-mesh-core-pluginsPer-plugin
.fossa.ymlfiles in all 16 plugin directories:sam-slack/.fossa.ymlsam-mongodb/.fossa.ymlsam-event-mesh-gateway/.fossa.ymlsam-bedrock-agent/.fossa.ymlsam-mermaid/.fossa.ymlsam-rest-gateway/.fossa.ymlsam-webhook-gateway/.fossa.ymlsam-geo-information/.fossa.ymlsam-sql-database/.fossa.ymlsam-event-mesh-agent/.fossa.ymlsam-event-mesh-tool/.fossa.ymlsam-nuclia-tool/.fossa.ymlsam-rag/.fossa.ymlsam-ruleset-lookup-tool/.fossa.ymlsam-slack-gateway-adapter/.fossa.ymlsam-sql-database-tool/.fossa.ymlEach plugin scans as a separate FOSSA project (e.g.,
SolaceLabs_sam-slack)All plugins share the
solace-agent-mesh-core-pluginslabel for groupingHow It Works
sam-slack/), the CI workflow triggers.fossa.ymlconfigFOSSA Dashboard
In FOSSA, you can:
solace-agent-mesh-core-pluginsto see all 16 plugins togetherTest Plan
FOSSA_API_KEYis configured🤖 Generated with Claude Code