aboutcode-org
diff --git a/‎.github/workflows/sca-integration-cdxgen.yml‎
Lines changed: 54 additions & 0 deletions b/‎.github/workflows/sca-integration-cdxgen.yml‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎docs/faq.rst‎
Lines changed: 17 additions & 0 deletions b/‎docs/faq.rst‎
Lines changed: 17 additions & 0 deletions
@@ -0,0 +1,54 @@
+name: Generate SBOM with CycloneDX cdxgen and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using CycloneDX cdxgen.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install CycloneDX cdxgen
+        run: npm install @cyclonedx/cdxgen
+
+      - name: Generate SBOM with CycloneDX cdxgen
+        run: |
+          npx cdxgen ${{ env.IMAGE_REFERENCE }} \
+            --type docker \
+            --output cdxgen-sbom.cdx.json \
+            --spec-version 1.6 \
+            --json-pretty
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: cdxgen-sbom
+          path: "cdxgen-sbom.cdx.json"
+          retention-days: 20
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "cdxgen-sbom.cdx.json"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0"
@@ -363,3 +363,20 @@ The input to ScanCode is a local saved image: Docker or OCI.
 Docker in Docker support will demand to have access to the saved images
 (either extracted from the Docker images in Docker, or mounted in a volume or saved
 from the Docker in the Docker image). Once saved we can analyze these alright.
+
+Can I import SBOM from other SCA tools?
+---------------------------------------
+
+Yes! You can load SBOMs generated by other tools for further review and run
+pipelines to enrich or validate the data directly in ScanCode.io.
+
+While most valid SBOMs should work out of the box, SBOMs from the following tools
+are actively supported and tested::
+
+  - Anchore: https://anchore.com/sbom/
+  - CycloneDX cdxgen: https://cyclonedx.github.io/cdxgen/
+  - Trivy: https://trivy.dev/latest/
+
+.. note:: Imported SBOMs must follow the SPDX or CycloneDX standards, in JSON format.
+   You can use the ``load-sbom`` pipeline to process and enhance these SBOMs in your
+   ScanCode.io projects.