Merge main and resolve conflicts

Signed-off-by: tdruez <[email protected]>

Author: tdruez

.github/workflows/analyze-docker-image.yml

@@ -2,11 +2,17 @@ on: [push]
 
 jobs:
   scan-codebase:
-    runs-on: ubuntu-22.04
-    name: Analyze a Docker image with ScanCode.io
+    runs-on: ubuntu-24.04
+    name: Analyze a Docker image
     steps:
-      - uses: nexB/scancode-action@alpha
+      - name: Get the action.yml from the current branch
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: action.yml
+          sparse-checkout-cone-mode: false
+
+      - uses: ./
         with:
           pipelines: "analyze_docker_image"
           input-urls:
-            https://github.com/nexB/scancode.io-tutorial/releases/download/sample-images/30-alpine-nickolashkraus-staticbox-latest.tar
+            https://github.com/aboutcode-org/scancode.io-tutorial/releases/download/sample-images/30-alpine-nickolashkraus-staticbox-latest.tar

.github/workflows/find-vulnerabilities.yml

@@ -0,0 +1,24 @@
+on: [push]
+
+jobs:
+  scan-codebase:
+    runs-on: ubuntu-24.04
+    name: Scan codebase and find vulnerabilities
+    steps:
+      - name: Get the action.yml from the current branch
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: action.yml
+          sparse-checkout-cone-mode: false
+
+      - uses: actions/checkout@v4
+        with:
+          path: scancode-inputs
+      - uses: ./
+        with:
+          pipelines: "scan_codebase,find_vulnerabilities"
+          scancodeio-repo-branch: "main"
+          check-compliance: true
+          compliance-fail-on-vulnerabilities: true
+        env:
+          VULNERABLECODE_URL: https://public.vulnerablecode.io/

.github/workflows/map-deploy-to-develop.yml

@@ -2,14 +2,20 @@ on: [push]
 
 jobs:
   scan-codebase:
-    runs-on: ubuntu-22.04
-    name: Map deploy to develop with ScanCode.io
+    runs-on: ubuntu-24.04
+    name: Map deploy to develop
     steps:
-      - uses: nexB/scancode-action@alpha
+      - name: Get the action.yml from the current branch
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: action.yml
+          sparse-checkout-cone-mode: false
+
+      - uses: ./
         with:
           pipelines: "map_deploy_to_develop"
           input-urls:
-            https://github.com/nexB/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/from-flume-ng-node-1.9.0.zip#from
-            https://github.com/nexB/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/to-flume-ng-node-1.9.0.zip#to
+            https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/from-flume-ng-node-1.9.0.zip#from
+            https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/to-flume-ng-node-1.9.0.zip#to
         env:
           PURLDB_URL: https://public.purldb.io/

.github/workflows/scan-codebase.yml

@@ -2,14 +2,20 @@ on: [push]
 
 jobs:
   scan-codebase:
-    runs-on: ubuntu-22.04
-    name: Scan codebase with ScanCode.io
+    runs-on: ubuntu-24.04
+    name: Scan codebase and check for compliance issues
     steps:
+      - name: Get the action.yml from the current branch
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: action.yml
+          sparse-checkout-cone-mode: false
+
       - uses: actions/checkout@v4
         with:
           path: scancode-inputs
-      - uses: nexB/scancode-action@alpha
+      - uses: ./
         with:
-          pipelines: "scan_codebase,find_vulnerabilities"
-        env:
-          VULNERABLECODE_URL: https://public.vulnerablecode.io/
+          pipelines: "scan_codebase"
+          check-compliance: true
+          compliance-fail-level: "WARNING"

.github/workflows/scan-single-package.yml

@@ -2,12 +2,17 @@ on: [push]
 
 jobs:
   scan-codebase:
-    runs-on: ubuntu-22.04
-    name: Scan package with ScanCode.io
+    runs-on: ubuntu-24.04
+    name: Scan a package archive
     steps:
-      - name: Download repository archive to scancode-inputs/ directory
-        run: |
-          wget --directory-prefix=scancode-inputs https://github.com/${GITHUB_REPOSITORY}/archive/${GITHUB_REF}.zip
-      - uses: nexB/scancode-action@alpha
+      - name: Get the action.yml from the current branch
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: action.yml
+          sparse-checkout-cone-mode: false
+
+      - uses: ./
         with:
           pipelines: "scan_single_package"
+          input-urls:
+            https://github.com/${GITHUB_REPOSITORY}/archive/${GITHUB_REF}.zip

.gitignore

@@ -96,3 +96,6 @@ typings/
 
 # Editor
 .idea
+
+# Various junk and temp files
+.DS_Store

README.md

@@ -1,9 +1,10 @@
-# `@nexB/scancode-action`
+# `@aboutcode-org/scancode-action`
 
-Run [ScanCode.io](https://github.com/nexB/scancode.io) pipelines from your Workflows.
+Run [ScanCode.io](https://github.com/aboutcode-org/scancode.io) pipelines from your 
+Workflows.
 
 > [!IMPORTANT]
-> The scancode-action is currently in the **alpha stage**, and we invite you to 
+> The scancode-action is currently in the **beta stage**, and we invite you to 
 > contribute to its improvement. Please feel free to submit bug reports or share 
 > your ideas by creating new entries in the "Issues" section. 
 > Your collaboration helps us enhance the action and ensures a more stable and 
@@ -20,7 +21,9 @@ Run [ScanCode.io](https://github.com/nexB/scancode.io) pipelines from your Workf
   - [Choose the output formats](#choose-the-output-formats)
   - [Provide download URLs inputs](#provide-download-urls-inputs)
   - [Fetch pipelines inputs](#fetch-pipelines-inputs)
+  - [Check for compliance issues](#check-for-compliance-issues)
   - [Define a custom project name](#define-a-custom-project-name)
+  - [Install ScanCode.io from a repository branch](#install-scancodeio-from-a-repository-branch)
 - [Where does the scan results go?](#where-does-the-scan-results-go)
 
 ## Usage
@@ -32,7 +35,7 @@ steps:
 - uses: actions/checkout@v4
   with:
     path: scancode-inputs
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
   with:
     pipelines: "scan_codebase"
     output-formats: "json xlsx spdx cyclonedx"
@@ -41,7 +44,7 @@ steps:
 ### Inputs
 
 ```yaml
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
   with:
     # Names of the pipelines (comma-separated) and in order.
     # Default is 'scan_codebase'
@@ -66,15 +69,29 @@ steps:
     # Default is 'scancode-outputs'
     outputs-archive-name:
 
+    # Check for compliance issues in the project.
+    # Exits with a non-zero status if compliance issues are detected.
+    # Default is false
+    check-compliance:
+
+    # Failure level for compliance check. Options: ERROR, WARNING, MISSING.
+    # Default is 'ERROR'
+    compliance-fail-level:
+      
+    # Exit with a non-zero status if known vulnerabilities are detected in discovered 
+    # packages and dependencies.
+    # Default is false
+    compliance-fail-on-vulnerabilities:
+
     # Python version that will be installed to run ScanCode.io
-    # Default is '3.11'
+    # Default is '3.12'
     python-version:
 ```
 
 ## Examples
 
-See https://github.com/nexB/scancode-action/tree/main/.github/workflows for Workflows
-examples.
+See https://github.com/aboutcode-org/scancode-action/tree/main/.github/workflows for 
+Workflows examples.
 
 ### Scan repo codebase
 
@@ -83,23 +100,23 @@ steps:
 - uses: actions/checkout@v4
   with:
     path: scancode-inputs
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
 ```
 
 ### Run a specific pipeline
 
 [Built-in pipelines list](https://scancodeio.readthedocs.io/en/latest/built-in-pipelines.html)
 
 ```yaml
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
   with:
     pipelines: "scan_codebase"
 ```
 
 ### Run multiple pipelines
 
 ```yaml
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
   with:
     pipelines: "scan_codebase,find_vulnerabilities"
   env:
@@ -116,18 +133,39 @@ However, you also have the option to run your own VulnerableCode instance.
 For details on setting up and configuring your own instance, please refer to the 
 [VulnerableCode documentation](https://vulnerablecode.readthedocs.io/en/latest/index.html).
 
+#### Fail on known vulnerabilities
+
+When enabled, the workflow will fail if any known vulnerabilities are found in the 
+project's discovered packages or dependencies.
+Activate this behavior by enabling `check-compliance` and setting 
+`compliance-fail-on-vulnerabilities` to true.
+
+```yaml
+- uses: aboutcode-org/scancode-action@beta
+  with:
+    pipelines: "scan_codebase,find_vulnerabilities"
+    check-compliance: true
+    compliance-fail-on-vulnerabilities: true
+  env:
+    VULNERABLECODE_URL: https://public.vulnerablecode.io/
+```
+
 ### Choose the output formats
 
 ```yaml
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
   with:
     output-formats: "json xlsx spdx cyclonedx"
 ```
 
+> [!NOTE]
+> To specify a CycloneDX spec version (default to latest), use the syntax
+  ``cyclonedx:VERSION`` as format value. For example: ``cyclonedx:1.5``.
+
 ### Provide download URLs inputs
 
 ```yaml
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
   with:
     pipelines: "map_deploy_to_develop"
     input-urls:
@@ -141,19 +179,41 @@ For details on setting up and configuring your own instance, please refer to the
 - name: Download repository archive to scancode-inputs/ directory
   run: |
     wget --directory-prefix=scancode-inputs https://github.com/${GITHUB_REPOSITORY}/archive/${GITHUB_REF}.zip
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
   with:
     pipelines: "scan_single_package"
 ```
 
+### Check for compliance issues
+
+```yaml
+- uses: aboutcode-org/scancode-action@beta
+  with:
+    check-compliance: true
+    compliance-fail-level: "WARNING"
+```
+
+> [!NOTE]
+> This feature requires to provide Project policies. 
+> For details on setting up and configuring your own instance, please refer to the 
+> [ScanCode.io Policies documentation](https://scancodeio.readthedocs.io/en/latest/policies.html).
+
 ### Define a custom project name
 
 ```yaml
-- uses: nexB/scancode-action@alpha
+- uses: aboutcode-org/scancode-action@beta
   with:
     project-name: "my-project-name"
 ```
 
+### Install ScanCode.io from a repository branch
+
+```yaml
+- uses: aboutcode-org/scancode-action@beta
+  with:
+    scancodeio-repo-branch: "main"
+```
+
 ## Where are the Scan Results?
 
 Upon completion of the workflow, you can **find the scan results** in the dedicated