Initial implementation of the scancode-action (#2)

Signed-off-by: Thomas Druez <[email protected]>

Author: tdruez

.github/workflows/scan-codebase.yml

@@ -0,0 +1,15 @@
+on: [push]
+
+jobs:
+  scan-codebase:
+    runs-on: ubuntu-latest
+    name: Scan codebase with ScanCode.io
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: scancode-inputs
+      - uses: nexB/scancode-action@alpha
+        with:
+          pipelines: "scan_codebase,find_vulnerabilities"
+        env:
+          VULNERABLECODE_URL: https://public.vulnerablecode.io/

.github/workflows/scan-package.yml

@@ -0,0 +1,13 @@
+on: [push]
+
+jobs:
+  scan-codebase:
+    runs-on: ubuntu-latest
+    name: Scan package with ScanCode.io
+    steps:
+      - name: Download repository archive to scancode-inputs/ directory
+        run: |
+          wget --directory-prefix=scancode-inputs https://github.com/${GITHUB_REPOSITORY}/archive/${GITHUB_REF}.zip
+      - uses: nexB/scancode-action@alpha
+        with:
+          pipelines: "scan_package"

.gitignore

@@ -0,0 +1,98 @@
+# Ignore node_modules, ncc is used to compile nodejs modules into a single file in the releases branch
+node_modules/
+__tests__/runner/*
+
+# Ignore js files that are transpiled from ts files in src/
+lib/
+
+# Rest of the file pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# Editor
+.idea

README.md

@@ -1,2 +1,140 @@
-# scancode-action
-Run ScanCode scan in your workflow
+# `@nexB/scancode-action`
+
+Run [ScanCode.io](https://github.com/nexB/scancode.io) pipelines from your Workflows.
+
+> [!IMPORTANT]
+> The scancode-action is currently in the **alpha stage**, and we invite you to 
+> contribute to its improvement. Please feel free to submit bug reports or share 
+> your ideas by creating new entries in the "Issues" section. 
+> Your collaboration helps us enhance the action and ensures a more stable and 
+> effective tool for the community. 
+> Thank you for your support!
+
+- [Usage](#usage)
+  - [Basic](#basic)
+  - [Inputs](#inputs)
+- [Examples](#examples)
+  - [Scan repo codebase](#scan-repo-codebase)
+  - [Run a specific pipeline](#run-a-specific-pipeline)
+  - [Run multiple pipelines](#run-multiple-pipelines)
+  - [Choose the output formats](#choose-the-output-formats)
+  - [Fetch pipelines inputs](#fetch-pipelines-inputs)
+  - [Define a custom project name](#define-a-custom-project-name)
+- [Where does the scan results go?](#where-does-the-scan-results-go)
+
+## Usage
+
+### Basic
+
+```yaml
+steps:
+- uses: actions/checkout@v4
+  with:
+    path: scancode-inputs
+- uses: nexB/scancode-action@alpha
+  with:
+    pipelines: "scan_codebase"
+    output-formats: "json xlsx spdx cyclonedx"
+```
+
+### Inputs
+
+```yaml
+- uses: nexB/scancode-action@alpha
+  with:
+    # Names of the pipelines (comma-separated) and in order.
+    # Default is 'scan_codebase'
+    pipelines:
+
+    # The list of output formats to generate.
+    # Default is 'json xlsx spdx cyclonedx'
+    output-formats:
+      
+    # Relative path within the $GITHUB_WORKSPACE for pipeline inputs.
+    # Default is 'scancode-inputs'
+    inputs-path:
+
+    # Name of the project.
+    # Default is 'scancode-action'
+    project-name:
+
+    # Python version that will be installed to run ScanCode.io
+    # Default is '3.11'
+    python-version:
+```
+
+## Examples
+
+### Scan repo codebase
+
+```yaml
+steps:
+- uses: actions/checkout@v4
+  with:
+    path: scancode-inputs
+- uses: nexB/scancode-action@alpha
+```
+
+### Run a specific pipeline
+
+[Built-in pipelines list](https://scancodeio.readthedocs.io/en/latest/built-in-pipelines.html)
+
+```yaml
+- uses: nexB/scancode-action@alpha
+  with:
+    pipelines: "scan_codebase"
+```
+
+### Run multiple pipelines
+
+```yaml
+- uses: nexB/scancode-action@alpha
+  with:
+    pipelines: "scan_codebase,find_vulnerabilities"
+  env:
+    VULNERABLECODE_URL: https://public.vulnerablecode.io/
+```
+
+#### Configuring `find_vulnerabilities` Pipeline
+
+The `find_vulnerabilities` pipeline requires access to a VulnerableCode instance, 
+which can be defined using the `VULNERABLECODE_URL` environment variable.
+
+In the example provided, a public instance is referenced. 
+However, you also have the option to run your own VulnerableCode instance. 
+For details on setting up and configuring your own instance, please refer to the 
+[VulnerableCode documentation](https://vulnerablecode.readthedocs.io/en/latest/index.html).
+
+### Choose the output formats
+
+```yaml
+- uses: nexB/scancode-action@alpha
+  with:
+    output-formats: "json xlsx spdx cyclonedx"
+```
+
+### Fetch pipelines inputs
+
+```yaml
+- name: Download repository archive to scancode-inputs/ directory
+  run: |
+    wget --directory-prefix=scancode-inputs https://github.com/${GITHUB_REPOSITORY}/archive/${GITHUB_REF}.zip
+- uses: nexB/scancode-action@alpha
+  with:
+    pipelines: "scan_single_package"
+```
+
+### Define a custom project name
+
+```yaml
+- uses: nexB/scancode-action@alpha
+  with:
+    project-name: "my-project-name"
+```
+
+## Where are the Scan Results?
+
+Upon completion of the workflow, you can **find the scan results** in the dedicated 
+**artifacts section** at the bottom of the workflow summary page. 
+Look for a file named `scanpipe-outputs` in that section. 
+This file contains the outputs generated by the `scancode-action`.

action.yml

@@ -0,0 +1,83 @@
+name: "ScanCode action"
+description: "Run ScanCode.io pipelines in your workflows"
+inputs:
+  pipelines:
+    description: "Names of the pipelines (comma-separated) and in order."
+    default: "scan_codebase"
+  output-formats:
+    description: "Output formats"
+    default: "json xlsx spdx cyclonedx"
+  inputs-path:
+    description: "Relative path within the $GITHUB_WORKSPACE for pipeline inputs"
+    default: "${{ github.workspace }}/scancode-inputs"
+  project-name:
+    description: "Name of the project"
+    default: "scancode-action"
+  python-version:
+    description: "Python version"
+    default: "3.11"
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+
+    - name: Set up environment
+      shell: bash
+      run: |
+        echo "SECRET_KEY=$(openssl rand -base64 32)" >> $GITHUB_ENV
+        echo "SCANCODEIO_DB_ENGINE=django.db.backends.sqlite3" >> $GITHUB_ENV
+        echo "SCANCODEIO_DB_NAME=sqlite3.db" >> $GITHUB_ENV
+
+    - name: Install ScanCode.io
+      shell: bash
+      run: |
+        pip install scancodeio
+        scanpipe migrate
+
+    - name: Generate pipelines CLI arguments
+      shell: bash
+      run: |
+        IFS=',' read -ra PIPELINES <<< "${{ inputs.pipelines }}"
+        options=""
+        for pipeline in "${PIPELINES[@]}"; do
+          options+="--pipeline $pipeline "
+        done
+        echo "PIPELINE_CLI_ARGS=${options}" >> $GITHUB_ENV
+
+    - name: Create project with ${{ inputs.pipelines }} pipelines
+      shell: bash
+      run: |
+        scanpipe create-project ${{ inputs.project-name }} ${{ env.PIPELINE_CLI_ARGS }}
+
+    - name: Set project work directory in the environment
+      shell: bash
+      run: |
+        project_status=$(scanpipe status --project ${{ inputs.project-name }})
+        work_directory=$(echo "$project_status" | grep -oP 'Work directory:\s*\K[^\n]+')
+        echo "PROJECT_WORK_DIRECTORY=$work_directory" >> $GITHUB_ENV
+
+    - name: Copy input files to project work directory
+      shell: bash
+      run: cp -r ${{ inputs.inputs-path }}/* ${{ env.PROJECT_WORK_DIRECTORY }}/input/
+
+    - name: Run the pipelines
+      shell: bash
+      run: scanpipe execute --project ${{ inputs.project-name }} --no-color
+
+    - name: Generate outputs
+      id: scanpipe
+      shell: bash
+      run: scanpipe output 
+        --project ${{ inputs.project-name }} 
+        --format ${{ inputs.output-formats }} 
+        --no-color
+
+    - name: Upload outputs
+      uses: actions/upload-artifact@v4
+      id: artifact-upload-step
+      with:
+        name: scanpipe-outputs
+        path: ${{ env.PROJECT_WORK_DIRECTORY }}/output/*