Skip to content
Generate SBOM with OSV-Scanner and load into ScanCode.io

Generate SBOM with OSV-Scanner and load into ScanCode.io #2

Sign in to view logs

Generate SBOM with OSV-Scanner and load into ScanCode.io

Generate SBOM with OSV-Scanner and load into ScanCode.io #2

Workflow file for this run

.github/workflows/sca-integration-osv-scanner.yml at c7ecb48
name: Generate SBOM with OSV-Scanner and load into ScanCode.io
# This workflow:
# 1. Generates a CycloneDX SBOM for a container image using OSV-Scanner.
# 2. Uploads the SBOM as a GitHub artifact for future inspection.
# 3. Loads the SBOM into ScanCode.io for further analysis.
# 4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
#
# It runs on demand, and once a week (scheduled).
on:
workflow_dispatch:
schedule:
# Run once a week (every 7 days) at 00:00 UTC on Sunday
- cron: "0 0 * * 0"
permissions:
contents: read
env:
IMAGE_REFERENCE: "python:3.13.0-slim"
jobs:
generate-and-load-sbom:
runs-on: ubuntu-24.04
steps:
- name: Install OSV-Scanner
run: |
curl -sLO https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
chmod +x osv-scanner_linux_amd64
sudo mv osv-scanner_linux_amd64 /usr/local/bin/osv-scanner
- name: Run OSV Scanner
# Using `|| true` as OSV-Scanner exits with code 1 when vulnerabilities are found.
run: |
osv-scanner scan image ${{ env.IMAGE_REFERENCE }} \
--all-packages \
--format spdx-2-3 \
--output osv-sbom.spdx.json \
|| true
- name: Upload SBOM as GitHub Artifact
uses: actions/upload-artifact@v4
with:
name: osv-scanner-sbom-report
path: osv-sbom.spdx.json
retention-days: 20
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "osv-sbom.spdx.json"
scancodeio-repo-branch: "main"
- name: Verify SBOM Analysis Results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 100; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() >= 100"