1734 sca integrations cdxgen #2

	name: Generate SBOM with cdxgen and load into ScanCode.io

	on:
	workflow_dispatch:
	pull_request:
	push:
	branches:
	- main

	permissions:
	contents: read

	env:
	# IMAGE_REFERENCE: "python:3.13.0-slim"
	IMAGE_REFERENCE: "alpine:3.17.0"

	jobs:
	generate-and-load-sbom:
	runs-on: ubuntu-24.04
	steps:
	- name: Set up Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '20'

	- name: Install CycloneDX cdxgen
	run: npm install @cyclonedx/cdxgen

	- name: Generate SBOM with CycloneDX cdxgen
	run: cdxgen ${{ env.IMAGE_REFERENCE }} --type docker -output cdxgen-sbom.cdx.json --profile license-compliance --json-pretty

	- name: Upload SBOM as GitHub Artifact
	uses: actions/upload-artifact@v4
	with:
	name: cdxgen-sbom
	path: "cdxgen-sbom.cdx.json"
	retention-days: 20

	# - name: Import SBOM into ScanCode.io
	# uses: aboutcode-org/scancode-action@main
	# with:
	# pipelines: "load_sbom"
	# inputs-path: "cdxgen-sbom.cdx.json"
	#
	# - name: Verify SBOM Analysis Results in ScanCode.io
	# shell: bash
	# run: \|
	# scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 3200; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 220"

Provide feedback