Add "Find vulnerabilities" workflow based on scancode-action (#267)

tdruez · web-flow · commit 4e3b875aae12 · 2025-02-19T11:11:35.000-10:00
Signed-off-by: tdruez &lt;tdruez@nexb.com&gt;
diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml
@@ -0,0 +1,39 @@
+name: Find dependencies vulnerabilities
+
+on: [push]
+
+jobs:
+  scan-codebase:
+    runs-on: ubuntu-24.04
+    name: Inspect packages with ScanCode.io
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: scancode-inputs
+          sparse-checkout: setup.cfg
+          sparse-checkout-cone-mode: false
+
+      - uses: nexB/scancode-action@alpha
+        with:
+          pipelines: "inspect_packages:StaticResolver,find_vulnerabilities"
+        env:
+          VULNERABLECODE_URL: https://public.vulnerablecode.io/
+
+      - name: Fail in case of vulnerabilities
+        shell: bash
+        run: |
+          scanpipe shell --command '
+          from scanpipe.models import Project
+          project = Project.objects.get()
+          packages_qs = project.discoveredpackages.vulnerable()
+          dependencies_qs = project.discovereddependencies.vulnerable()
+          vulnerability_count = packages_qs.count() + dependencies_qs.count()
+          if vulnerability_count:
+              print(vulnerability_count, "vulnerabilities found:")
+              for entry in [*packages_qs, *dependencies_qs]:
+                  print(entry)
+              exit(1)
+          else:
+              print("No vulnerabilities found")
+              exit(0)
+          '
