Add a "Find dependencies vulnerabilities" workflow based on scancode-action

tdruez · tdruez · commit 60bd23459ab9 · 2025-02-19T10:16:43.000-10:00
Signed-off-by: tdruez &lt;tdruez@nexb.com&gt;
diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml
@@ -0,0 +1,19 @@
+name: Find dependencies vulnerabilities
+
+on: [push]
+
+jobs:
+  scan-codebase:
+    runs-on: ubuntu-24.04
+    name: Inspect packages with ScanCode.io
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          sparse-checkout: setup.cfg
+          sparse-checkout-cone-mode: false
+
+      - uses: nexB/scancode-action@alpha
+        with:
+          pipelines: "inspect_packages:StaticResolver,find_vulnerabilities"
+        env:
+          VULNERABLECODE_URL: https://public.vulnerablecode.io/
