Add GH workflow to generate SBOM with OSV-Scanner #1730

Signed-off-by: tdruez <[email protected]>

Author: tdruez

.github/workflows/sca-integration-osv.yml

@@ -0,0 +1,54 @@
+name: Generate SBOM with OSV-Scanner and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using OSV-Scanner.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+# https://google.github.io/osv-scanner/github-action/#github-action
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Generate CycloneDX SBOM with OSV-Scanner
+        uses: "google/osv-scanner-action/.github/workflows/[email protected]"
+        with:
+          scan-args: image ${{ env.IMAGE_REFERENCE }}
+
+#      - name: Upload SBOM as GitHub Artifact
+#        uses: actions/upload-artifact@v4
+#        with:
+#          name: osv-sbom-report
+#          path: "osv-grype-sbom.cdx.json"
+#          retention-days: 20
+#
+#      - name: Import SBOM into ScanCode.io
+#        uses: aboutcode-org/scancode-action@main
+#        with:
+#          pipelines: "load_sbom"
+#          inputs-path: "osv-grype-sbom.cdx.json"
+#
+#      - name: Verify SBOM Analysis Results in ScanCode.io
+#        shell: bash
+#        run: |
+#          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 3200; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 220"