aboutcode-org · tdruez · Aug 28, 2025 · Aug 28, 2025 · Aug 28, 2025 · Aug 28, 2025
diff --git a/.github/workflows/sca-integration-vuls.yml b/.github/workflows/sca-integration-vuls.yml
@@ -0,0 +1,52 @@
+name: Generate SBOM with Vuls and load into ScanCode.io
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+env:
+#  IMAGE_REFERENCE: "alpine:3.17"
+  VULS_VERSION: "0.33.4"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install Vuls
+        run: |
+          curl -sL https://github.com/future-architect/vuls/releases/download/v${{ env.VULS_VERSION }}/vuls_${{ env.VULS_VERSION }}_linux_amd64.tar.gz \
+          | tar -xz
+          sudo mv vuls /usr/local/bin/vuls
+          mkdir -p $PWD/vuls/results
+
+      - name: Create Vuls config.toml
+        run: |
+          cat > vuls/config.toml <<EOF
+          [servers]
+          [servers.localhost]
+          host = "localhost"
+          port = "local"
+          user = "runner"
+          sudo = true
+          EOF
+
+      - name: Run Vuls configtest
+        run: vuls configtest -config ./vuls/config.toml
+
+      - name: Run Vuls scan
+        run: vuls scan -config ./vuls/config.toml -results-dir $PWD/vuls/results
+
+      - name: Run Vuls report as CycloneDX
+        run: vuls report -config ./vuls/config.toml -results-dir $PWD/vuls/results -format-cyclonedx-json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: results
+          path: vuls/results