[CRAVEX] SCA Integrations: OWASP dep-scan #16

	name: Generate SBOM with OWASP dep-scan and load into ScanCode.io

	on:
	workflow_dispatch:
	pull_request:
	push:
	branches:
	- main

	permissions:
	contents: read

	env:
	IMAGE_REFERENCE: "python:3.13.0-slim"
	# IMAGE_REFERENCE: "alpine:3.17.0"

	jobs:
	generate-and-load-sbom:
	runs-on: ubuntu-24.04
	steps:
	# - name: Prepare writable reports directory
	# run: mkdir -p reports && chmod 777 reports

	- name: Pull and save the Docker image
	run: \|
	docker pull ${{ env.IMAGE_REFERENCE }}
	docker save --output docker-image.tar ${{ env.IMAGE_REFERENCE }}

	- name: Install OWASP dep-scan
	run: \|
	sudo npm install -g @cyclonedx/cdxgen
	pip install owasp-depscan

	- name: Generate SBOM with OWASP dep-scan
	run: \|
	depscan \
	--src ${{ env.IMAGE_REFERENCE }} \
	--type docker \
	--reports-dir reports \
	--explain

	- name: Upload SBOM as GitHub Artifact
	uses: actions/upload-artifact@v4
	with:
	name: depscan-sbom
	path: reports/
	retention-days: 20

	- name: Uninstall dep-scan to avoid conflict in the Python env
	run: pip uninstall --yes owasp-depscan

	- name: Import SBOM into ScanCode.io
	uses: aboutcode-org/scancode-action@main
	with:
	pipelines: "load_sbom"
	inputs-path: "reports/sbom-docker.vdr.json"

	- name: Verify SBOM Analysis Results in ScanCode.io
	shell: bash
	run: \|
	scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 220; assert package_manager.vulnerable().count() > 10; assert DiscoveredDependency.objects.count() > 150"

Provide feedback