Add a "Check compliance" step and related options #12

Signed-off-by: tdruez <[email protected]>

Author: tdruez

.github/workflows/find-vulnerabilities.yml

@@ -0,0 +1,15 @@
+on: [push]
+
+jobs:
+  scan-codebase:
+    runs-on: ubuntu-22.04
+    name: Scan codebase with ScanCode.io
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: scancode-inputs
+      - uses: nexB/scancode-action@alpha
+        with:
+          pipelines: "scan_codebase,find_vulnerabilities"
+        env:
+          VULNERABLECODE_URL: https://public.vulnerablecode.io/

.github/workflows/scan-codebase.yml

@@ -2,14 +2,13 @@ on: [push]
 
 jobs:
   scan-codebase:
-    runs-on: ubuntu-22.04
-    name: Scan codebase with ScanCode.io
+    runs-on: ubuntu-24.04
+    name: Scan codebase and check for compliance issues
     steps:
       - uses: actions/checkout@v4
         with:
           path: scancode-inputs
       - uses: nexB/scancode-action@alpha
         with:
-          pipelines: "scan_codebase,find_vulnerabilities"
-        env:
-          VULNERABLECODE_URL: https://public.vulnerablecode.io/
+          pipelines: "scan_codebase"
+          check-compliance: true

README.md

@@ -67,6 +67,15 @@ steps:
     # Default is 'scancode-outputs'
     outputs-archive-name:
 
+    # Check for compliance issues in the project.
+    # Exits with a non-zero status if compliance issues are detected.
+    # Default is false
+    check-compliance:
+
+    # Failure level for compliance check. Options: ERROR, WARNING, MISSING.
+    # Default is 'ERROR'
+    compliance-fail-level:
+
     # Python version that will be installed to run ScanCode.io
     # Default is '3.11'
     python-version:
@@ -79,6 +88,8 @@ Workflows examples.
 
 ### Scan repo codebase
 
+TODO: Why, file only!
+
 ```yaml
 steps:
 - uses: actions/checkout@v4

action.yml

@@ -11,17 +11,25 @@ inputs:
     description: "Relative path within the $GITHUB_WORKSPACE for pipeline inputs"
     default: "${{ github.workspace }}/scancode-inputs"
   input-urls:
-    description: 'Provide one or more URLs to download for the pipeline run execution'
+    description: "Provide one or more URLs to download for the pipeline run execution."
     required: false
     default: ""
   project-name:
-    description: "Name of the project"
+    description: "Name of the project."
     default: "scancode-action"
   outputs-archive-name:
-    description: "Name of the outputs archive"
+    description: "Name of the outputs archive."
     default: "scancode-outputs"
+  check-compliance:
+    description: |
+      Check for compliance issues in the project.
+      Exits with a non-zero status if compliance issues are detected.
+  compliance-fail-level:
+    description: "Failure level for compliance check. Options: ERROR, WARNING, MISSING."
+    default: "ERROR"
+    required: false
   python-version:
-    description: "Python version"
+    description: "Python version."
     default: "3.11"
 
 runs:
@@ -107,6 +115,14 @@ runs:
         --format ${{ inputs.output-formats }} 
         --no-color
 
+    - name: Check compliance
+      if: inputs.check-compliance == 'true'
+      shell: bash
+      run: scanpipe check-compliance
+        --project ${{ inputs.project-name }}
+        --fail-level ${{ inputs.compliance-fail-level }}
+        --no-color
+
     - name: Upload outputs
       uses: actions/upload-artifact@v4
       id: artifact-upload-step