feat(DATAGO-115000): add FOSSA SCA scanning for monorepo plugins

.fossa.yml

@@ -0,0 +1,25 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_solace-agent-mesh-core-plugins
+  id: SolaceLabs_solace-agent-mesh-core-plugins
+  name: solace-agent-mesh-core-plugins
+  labels:
+    - solaceai
+    - repository
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+  licenseScanPathFilters:
+    exclude:
+      - "./.github"
+
+paths:
+  exclude:
+    - ./.github
+
+telemetry:
+  scope: full

.github/workflows/build-plugin.yaml

@@ -10,6 +10,8 @@ on:
     secrets:
       COMMIT_KEY:
         required: true
+      FOSSA_API_KEY:
+        required: true
   workflow_dispatch:
     inputs:
       plugin_directory:
@@ -40,16 +42,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           sparse-checkout: ${{ inputs.plugin_directory }}
+
       - name: Set up Python
-        uses: actions/[email protected]
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: "3.12"
       - name: Cache pip
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }}
@@ -80,3 +83,40 @@ jobs:
           hatch build
           ls dist/*.tar.gz | xargs -n1 hatch run python -m twine check
           ls dist/*.whl | xargs -n1 hatch run python -m twine check
+
+      - name: sca-scan
+        uses: SolaceDev/solace-public-workflows/.github/actions/sca/sca-scan@main
+        with:
+          scanners: "fossa"
+          additional_scan_params: |
+            fossa.branch=${{ github.event.pull_request.number && 'PR' || github.event.repository.default_branch }}
+            fossa.revision=${{ github.event.pull_request.number && github.head_ref || github.sha }}
+            fossa.config=${{ inputs.plugin_directory }}/.fossa.yml
+          fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+
+
+      - name: FOSSA Licensing
+        id: fossa_licensing
+        if: ${{ always() }}
+        uses: SolaceDev/solace-public-workflows/.github/actions/fossa-guard@main
+        with:
+          fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+          fossa_project_id: "${{ github.repository_owner }}_${{ inputs.plugin_directory }}"
+          fossa_branch: ${{ github.event.pull_request.number && 'PR' || github.event.repository.default_branch }}
+          fossa_revision: ${{ github.event.pull_request.number && github.head_ref || github.sha }}
+          fossa_category: licensing
+          fossa_mode: BLOCK
+          block_on: policy_conflict
+
+      - name: FOSSA Security Vulnerabilities
+        id: fossa_vulnerabilities
+        if: ${{ always() }}
+        uses: SolaceDev/solace-public-workflows/.github/actions/fossa-guard@main
+        with:
+          fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+          fossa_project_id: "${{ github.repository_owner }}_${{ inputs.plugin_directory }}"
+          fossa_branch: ${{ github.event.pull_request.number && 'PR' || github.event.repository.default_branch }}
+          fossa_revision: ${{ github.event.pull_request.number && github.head_ref || github.sha }}
+          fossa_category: vulnerability
+          fossa_mode: BLOCK
+          block_on: critical,high

.github/workflows/ci.yaml

@@ -17,14 +17,14 @@ jobs:
       all_plugins: ${{ steps.format-labels.outputs.all-plugins }}
     steps:
       - name: Checkout code
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Lable PR based on changes
         id: label-pr
         if: ${{ github.event_name == 'pull_request' }}
-        uses: actions/labeler@v5
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           sync-labels: true
@@ -67,3 +67,4 @@ jobs:
       plugin_directory: ${{matrix.plugin_directory}}
     secrets:
       COMMIT_KEY: ${{ secrets.COMMIT_KEY }}
+      FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}

sam-bedrock-agent/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-bedrock-agent
+  id: SolaceLabs_sam-bedrock-agent
+  name: sam-bedrock-agent
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-event-mesh-agent/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-event-mesh-agent
+  id: SolaceLabs_sam-event-mesh-agent
+  name: sam-event-mesh-agent
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-event-mesh-gateway/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-event-mesh-gateway
+  id: SolaceLabs_sam-event-mesh-gateway
+  name: sam-event-mesh-gateway
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-event-mesh-tool/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-event-mesh-tool
+  id: SolaceLabs_sam-event-mesh-tool
+  name: sam-event-mesh-tool
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-geo-information/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-geo-information
+  id: SolaceLabs_sam-geo-information
+  name: sam-geo-information
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-mermaid/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-mermaid
+  id: SolaceLabs_sam-mermaid
+  name: sam-mermaid
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-mongodb/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-mongodb
+  id: SolaceLabs_sam-mongodb
+  name: sam-mongodb
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-nuclia-tool/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-nuclia-tool
+  id: SolaceLabs_sam-nuclia-tool
+  name: sam-nuclia-tool
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-rag/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-rag
+  id: SolaceLabs_sam-rag
+  name: sam-rag
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-rest-gateway/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-rest-gateway
+  id: SolaceLabs_sam-rest-gateway
+  name: sam-rest-gateway
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-ruleset-lookup-tool/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-ruleset-lookup-tool
+  id: SolaceLabs_sam-ruleset-lookup-tool
+  name: sam-ruleset-lookup-tool
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-slack-gateway-adapter/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-slack-gateway-adapter
+  id: SolaceLabs_sam-slack-gateway-adapter
+  name: sam-slack-gateway-adapter
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-slack/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-slack
+  id: SolaceLabs_sam-slack
+  name: sam-slack
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-sql-database-tool/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-sql-database-tool
+  id: SolaceLabs_sam-sql-database-tool
+  name: sam-sql-database-tool
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full

sam-sql-database/.fossa.yml

@@ -0,0 +1,17 @@
+# Configuration used for fossa scan
+version: 3
+
+project:
+  locator: SolaceLabs_sam-sql-database
+  id: SolaceLabs_sam-sql-database
+  name: sam-sql-database
+  labels:
+    - solaceai
+    - solace-agent-mesh-core-plugins
+
+vendoredDependencies:
+  forceRescans: false
+  scanMethod: CLILicenseScan
+
+telemetry:
+  scope: full