Merge branch 'main' into django-htmx

Author: tdruez

.github/workflows/sca-integration-anchore.yml

@@ -19,6 +19,9 @@ permissions:
 
 env:
   IMAGE_REFERENCE: "python:3.13.0-slim"
+  EXPECTED_PACKAGE: 3200
+  EXPECTED_VULNERABLE_PACKAGE: 40
+  EXPECTED_DEPENDENCY: 220
 
 jobs:
   generate-and-load-sbom:
@@ -44,8 +47,13 @@ jobs:
         with:
           pipelines: "load_sbom"
           inputs-path: "anchore-grype-sbom.cdx.json"
+          scancodeio-repo-branch: "main"
 
       - name: Verify SBOM Analysis Results in ScanCode.io
         shell: bash
         run: |
-          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 3200; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 220"
+          scanpipe verify-project \
+            --project scancode-action \
+            --packages ${{ env.EXPECTED_PACKAGE }} \
+            --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
+            --dependencies ${{ env.EXPECTED_DEPENDENCY }}

.github/workflows/sca-integration-cdxgen.yml

@@ -19,6 +19,9 @@ permissions:
 
 env:
   IMAGE_REFERENCE: "python:3.13.0-slim"
+  EXPECTED_PACKAGE: 340
+  EXPECTED_VULNERABLE_PACKAGE: 0
+  EXPECTED_DEPENDENCY: 0
 
 jobs:
   generate-and-load-sbom:
@@ -47,8 +50,13 @@ jobs:
         with:
           pipelines: "load_sbom"
           inputs-path: "cdxgen-sbom.cdx.json"
+          scancodeio-repo-branch: "main"
 
       - name: Verify SBOM Analysis Results in ScanCode.io
         shell: bash
         run: |
-          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0"
+          scanpipe verify-project \
+            --project scancode-action \
+            --packages ${{ env.EXPECTED_PACKAGE }} \
+            --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
+            --dependencies ${{ env.EXPECTED_DEPENDENCY }}

.github/workflows/sca-integration-cyclonedx-gomod.yml

@@ -0,0 +1,62 @@
+name: Generate SBOM with cyclonedx-gomod and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using cyclonedx-gomod.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+  pull_request:
+
+permissions:
+  contents: read
+
+env:
+  EXPECTED_PACKAGE: 5
+  EXPECTED_VULNERABLE_PACKAGE: 0
+  EXPECTED_DEPENDENCY: 1
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout minimal Go repo
+        uses: actions/checkout@v4
+        with:
+          repository: opencontainers/runc
+
+      - name: Generate SBOM with cyclonedx-gomod
+        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        with:
+          version: v1
+          args: mod -licenses -json -output gomod-sbom.cdx.json
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-report
+          path: "gomod-sbom.cdx.json"
+          retention-days: 20
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "gomod-sbom.cdx.json"
+          scancodeio-repo-branch: "main"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe verify-project \
+            --project scancode-action \
+            --packages ${{ env.EXPECTED_PACKAGE }} \
+            --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
+            --dependencies ${{ env.EXPECTED_DEPENDENCY }}

.github/workflows/sca-integration-depscan.yml

@@ -19,6 +19,9 @@ permissions:
 
 env:
   IMAGE_REFERENCE: "python:3.13.0-slim"
+  EXPECTED_PACKAGE: 220
+  EXPECTED_VULNERABLE_PACKAGE: 10
+  EXPECTED_DEPENDENCY: 150
 
 jobs:
   generate-and-load-sbom:
@@ -52,8 +55,13 @@ jobs:
         with:
           pipelines: "load_sbom"
           inputs-path: "reports/sbom-docker.vdr.json"
+          scancodeio-repo-branch: "main"
 
       - name: Verify SBOM Analysis Results in ScanCode.io
         shell: bash
         run: |
-          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 220; assert package_manager.vulnerable().count() > 10; assert DiscoveredDependency.objects.count() > 150"
+          scanpipe verify-project \
+            --project scancode-action \
+            --packages ${{ env.EXPECTED_PACKAGE }} \
+            --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
+            --dependencies ${{ env.EXPECTED_DEPENDENCY }}

.github/workflows/sca-integration-ort.yml

@@ -13,14 +13,15 @@ on:
   schedule:
     # Run once a week (every 7 days) at 00:00 UTC on Sunday
     - cron: "0 0 * * 0"
-  pull_request:
-  push:
-    branches:
-      - main
 
 permissions:
   contents: read
 
+env:
+  EXPECTED_PACKAGE: 5
+  EXPECTED_VULNERABLE_PACKAGE: 1
+  EXPECTED_DEPENDENCY: 1
+
 jobs:
   generate-and-load-sbom:
     runs-on: ubuntu-24.04
@@ -47,4 +48,8 @@ jobs:
       - name: Verify SBOM Analysis Results in ScanCode.io
         shell: bash
         run: |
-          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 5; assert package_manager.vulnerable().count() >= 1; assert DiscoveredDependency.objects.count() >= 1"
+          scanpipe verify-project \
+            --project scancode-action \
+            --packages ${{ env.EXPECTED_PACKAGE }} \
+            --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
+            --dependencies ${{ env.EXPECTED_DEPENDENCY }}

.github/workflows/sca-integration-osv-scanner.yml

@@ -19,6 +19,9 @@ permissions:
 
 env:
   IMAGE_REFERENCE: "python:3.13.0-slim"
+  EXPECTED_PACKAGE: 100
+  EXPECTED_VULNERABLE_PACKAGE: 0
+  EXPECTED_DEPENDENCY: 90
 
 jobs:
   generate-and-load-sbom:
@@ -56,4 +59,8 @@ jobs:
       - name: Verify SBOM Analysis Results in ScanCode.io
         shell: bash
         run: |
-          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 100; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() >= 100"
+          scanpipe verify-project \
+            --project scancode-action \
+            --packages ${{ env.EXPECTED_PACKAGE }} \
+            --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
+            --dependencies ${{ env.EXPECTED_DEPENDENCY }}

.github/workflows/sca-integration-sbom-tool.yml

@@ -19,6 +19,9 @@ permissions:
 
 env:
   IMAGE_REFERENCE: "python:3.13.0-slim"
+  EXPECTED_PACKAGE: 90
+  EXPECTED_VULNERABLE_PACKAGE: 0
+  EXPECTED_DEPENDENCY: 90
 
 jobs:
   generate-and-load-sbom:
@@ -57,4 +60,8 @@ jobs:
     - name: Verify SBOM Analysis Results in ScanCode.io
       shell: bash
       run: |
-        scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90"
+        scanpipe verify-project \
+          --project scancode-action \
+          --packages ${{ env.EXPECTED_PACKAGE }} \
+          --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
+          --dependencies ${{ env.EXPECTED_DEPENDENCY }}

.github/workflows/sca-integration-trivy.yml

@@ -19,6 +19,9 @@ permissions:
 
 env:
   IMAGE_REFERENCE: "python:3.13.0-slim"
+  EXPECTED_PACKAGE: 90
+  EXPECTED_VULNERABLE_PACKAGE: 40
+  EXPECTED_DEPENDENCY: 190
 
 jobs:
   generate-and-load-sbom:
@@ -46,8 +49,13 @@ jobs:
         with:
           pipelines: "load_sbom"
           inputs-path: "trivy-report.sbom.json"
+          scancodeio-repo-branch: "main"
 
       - name: Verify SBOM Analysis Results in ScanCode.io
         shell: bash
         run: |
-          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190"
+          scanpipe verify-project \
+            --project scancode-action \
+            --packages ${{ env.EXPECTED_PACKAGE }} \
+            --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
+            --dependencies ${{ env.EXPECTED_DEPENDENCY }}

CHANGELOG.rst

@@ -1,7 +1,13 @@
 Changelog
 =========
 
-v35.4.0 (unreleased)
+v35.4.1 (unreleased)
+--------------------
+
+- Add ability to download all output results formats as a zipfile for a given project.
+  https://github.com/aboutcode-org/scancode.io/issues/1880
+
+v35.4.0 (2025-09-30)
 --------------------
 
 - Use deterministic UID/GID in Dockerfile.

Makefile

@@ -58,6 +58,11 @@ dev: virtualenv
 	@echo "-> Configure and install development dependencies"
 	@${ACTIVATE} pip install ${PIP_ARGS} --editable .[dev]
 
+dev-mining: virtualenv
+	@echo "-> Configure and install development dependencies"
+	@$(MAKE) dev
+	@${ACTIVATE} pip install ${PIP_ARGS} --editable .[mining]
+
 envfile:
 	@echo "-> Create the .env file and generate a secret key"
 	@if test -f ${ENV_FILE}; then echo ".env file exists already"; exit 1; fi