1734 sca integrations cdxgen #8
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate SBOM with cdxgen and load into ScanCode.io | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| env: | |
| IMAGE_REFERENCE: "python:3.13.0-slim" | |
| jobs: | |
| generate-and-load-sbom: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Install CycloneDX cdxgen | |
| run: npm install @cyclonedx/cdxgen | |
| - name: Generate SBOM with CycloneDX cdxgen | |
| run: | | |
| npx cdxgen ${{ env.IMAGE_REFERENCE }} \ | |
| --type docker \ | |
| --output cdxgen-sbom.cdx.json \ | |
| --spec-version 1.6 \ | |
| --json-pretty | |
| - name: Upload SBOM as GitHub Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cdxgen-sbom | |
| path: "cdxgen-sbom.cdx.json" | |
| retention-days: 20 | |
| - name: Import SBOM into ScanCode.io | |
| uses: aboutcode-org/scancode-action@main | |
| with: | |
| pipelines: "load_sbom" | |
| inputs-path: "cdxgen-sbom.cdx.json" | |
| - name: Verify SBOM Analysis Results in ScanCode.io | |
| shell: bash | |
| run: | | |
| scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" |