find-vulnerabilities.yml

name: Find dependencies vulnerabilities

on: [push]

jobs:
  scan-codebase:
    runs-on: ubuntu-24.04
    name: Inspect packages with ScanCode.io
    steps:
      - uses: actions/checkout@v4
        with:
          path: scancode-inputs
          sparse-checkout: setup.cfg
          sparse-checkout-cone-mode: false

      - uses: nexB/scancode-action@alpha
        with:
          pipelines: "inspect_packages:StaticResolver,find_vulnerabilities"
        env:
          VULNERABLECODE_URL: https://public.vulnerablecode.io/

      - name: Fail in case of vulnerabilities
        shell: bash
        run: |
          scanpipe shell --command '
          from scanpipe.models import Project
          project = Project.objects.get()
          packages_qs = project.discoveredpackages.vulnerable()
          dependencies_qs = project.discovereddependencies.vulnerable()
          vulnerability_count = packages_qs.count() + dependencies_qs.count()
          if vulnerability_count:
              print(vulnerability_count, "vulnerabilities found:")
              for entry in [*packages_qs, *dependencies_qs]:
                  print(entry)
              exit(1)
          else:
              print("No vulnerabilities found")
              exit(0)
          '