Add a "Check compliance" step and related options #12 (#13)

Signed-off-by: tdruez <[email protected]>

Author: tdruez

.github/workflows/find-vulnerabilities.yml

@@ -0,0 +1,15 @@
+on: [push]
+
+jobs:
+  scan-codebase:
+    runs-on: ubuntu-22.04
+    name: Scan codebase with ScanCode.io
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: scancode-inputs
+      - uses: nexB/scancode-action@alpha
+        with:
+          pipelines: "scan_codebase,find_vulnerabilities"
+        env:
+          VULNERABLECODE_URL: https://public.vulnerablecode.io/

.github/workflows/scan-codebase.yml

@@ -2,14 +2,15 @@ on: [push]
 
 jobs:
   scan-codebase:
-    runs-on: ubuntu-22.04
-    name: Scan codebase with ScanCode.io
+    runs-on: ubuntu-24.04
+    name: Scan codebase and check for compliance issues
     steps:
       - uses: actions/checkout@v4
         with:
           path: scancode-inputs
-      - uses: nexB/scancode-action@alpha
+      - name: Run scancode-action from current branch
+        uses: ./scancode-inputs
         with:
-          pipelines: "scan_codebase,find_vulnerabilities"
-        env:
-          VULNERABLECODE_URL: https://public.vulnerablecode.io/
+          pipelines: "scan_codebase"
+          check-compliance: true
+          compliance-fail-level: "WARNING"

README.md

@@ -21,6 +21,7 @@ Workflows.
   - [Choose the output formats](#choose-the-output-formats)
   - [Provide download URLs inputs](#provide-download-urls-inputs)
   - [Fetch pipelines inputs](#fetch-pipelines-inputs)
+  - [Check for compliance issues](#check-for-compliance-issues)
   - [Define a custom project name](#define-a-custom-project-name)
   - [Install ScanCode.io from a repository branch](#install-scancodeio-from-a-repository-branch)
 - [Where does the scan results go?](#where-does-the-scan-results-go)
@@ -68,6 +69,15 @@ steps:
     # Default is 'scancode-outputs'
     outputs-archive-name:
 
+    # Check for compliance issues in the project.
+    # Exits with a non-zero status if compliance issues are detected.
+    # Default is false
+    check-compliance:
+
+    # Failure level for compliance check. Options: ERROR, WARNING, MISSING.
+    # Default is 'ERROR'
+    compliance-fail-level:
+
     # Python version that will be installed to run ScanCode.io
     # Default is '3.11'
     python-version:
@@ -152,6 +162,20 @@ For details on setting up and configuring your own instance, please refer to the
     pipelines: "scan_single_package"
 ```
 
+### Check for compliance issues
+
+```yaml
+- uses: nexB/scancode-action@alpha
+  with:
+    check-compliance: true
+    compliance-fail-level: "WARNING"
+```
+
+> [!NOTE]
+> This feature requires to provide Project policies. 
+> For details on setting up and configuring your own instance, please refer to the 
+> [ScanCode.io Policies documentation](https://scancodeio.readthedocs.io/en/latest/policies.html).
+
 ### Define a custom project name
 
 ```yaml

action.yml

@@ -11,17 +11,25 @@ inputs:
     description: "Relative path within the $GITHUB_WORKSPACE for pipeline inputs"
     default: "${{ github.workspace }}/scancode-inputs"
   input-urls:
-    description: 'Provide one or more URLs to download for the pipeline run execution'
+    description: "Provide one or more URLs to download for the pipeline run execution."
     required: false
     default: ""
   project-name:
-    description: "Name of the project"
+    description: "Name of the project."
     default: "scancode-action"
   outputs-archive-name:
-    description: "Name of the outputs archive"
+    description: "Name of the outputs archive."
     default: "scancode-outputs"
+  check-compliance:
+    description: |
+      Check for compliance issues in the project.
+      Exits with a non-zero status if compliance issues are detected.
+  compliance-fail-level:
+    description: "Failure level for compliance check. Options: ERROR, WARNING, MISSING."
+    default: "ERROR"
+    required: false
   python-version:
-    description: "Python version"
+    description: "Python version."
     default: "3.11"
   scancodeio-repo-branch:
     description: "Branch to install ScanCode.io from the GitHub repository (optional)"
@@ -64,7 +72,7 @@ runs:
 
     - name: Run migrations to prepare the database
       shell: bash
-      run: scanpipe migrate
+      run: scanpipe migrate --verbosity 0
 
     - name: Generate `--pipeline` CLI arguments
       shell: bash
@@ -117,8 +125,14 @@ runs:
       shell: bash
       run: scanpipe output
         --project ${{ inputs.project-name }} 
-        --format ${{ inputs.output-formats }} 
-        --no-color
+        --format ${{ inputs.output-formats }}
+
+    - name: Check compliance
+      if: inputs.check-compliance == 'true'
+      shell: bash
+      run: scanpipe check-compliance
+        --project ${{ inputs.project-name }}
+        --fail-level ${{ inputs.compliance-fail-level }}
 
     - name: Upload outputs
       uses: actions/upload-artifact@v4