Import SBOM into ScanCode.io

Signed-off-by: tdruez <[email protected]>

Author: tdruez

.github/workflows/sca-integration-ort.yml

@@ -1,5 +1,13 @@
 name: Generate SBOM with ORT and load into ScanCode.io
 
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a requirement file using ORT.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
 on:
   workflow_dispatch:
   pull_request:
@@ -28,3 +36,15 @@ jobs:
 
       - name: Run GitHub Action for ORT
         uses: oss-review-toolkit/ort-ci-github-action@v1
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json"
+          scancodeio-repo-branch: "main"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; print(package_manager.count()); print(package_manager.vulnerable().count()); print(DiscoveredDependency.objects.count())"