Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SCP-121 Updates README.md #20

Merged
merged 1 commit into from
Feb 2, 2024
Merged

SCP-121 Updates README.md #20

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 28 additions & 23 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@
[![Check dist/](https://github.com/scanoss/actions-scan/actions/workflows/check-dist.yml/badge.svg)](https://github.com/scanoss/actions-scan/actions/workflows/check-dist.yml)
[![CodeQL](https://github.com/scanoss/actions-scan/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/scanoss/actions-scan/actions/workflows/codeql-analysis.yml)

The SCANOSS Scan Action enhances your software development workflow by automatically scanning for security
vulnerabilities and license compliance issues.
The SCANOSS Scan Action enhances your software development process by automatically scanning your code for security
vulnerabilities and license compliance with configurable policies.

![JOB Summary](./.github/assets/img_job_summary.jpg)

## Usage

To begin using this action, you'll need to set up a basic GitHub workflow and define a JOB within it:
To begin using this action, you'll need to set up a basic GitHub workflow and define a job within it:

```yaml
name: Example Workflow with SCANOSS
Expand Down Expand Up @@ -48,18 +48,17 @@ For example workflow runs, check out the

### Action Input Parameters

| **Parameter** | **Description** | **Required** | **Default** |
|--------------------------|-----------------------------------------------------------------------|--------------|-------------------------------------|
| github.token | Your GitHub token | Optional | `${{ github.token }}` |
| output.filepath | Output result file name. | Optional | `results.json` |
| sbom.enabled | Enable or disable scanning based on the SBOM file | Optional | `true` |
| sbom.filepath | Filepath of the SBOM file to be used for scanning | Optional | `sbom.json` |
| sbom.type | Type of SBOM operation: either 'identify' or 'ignore | Optional | `identify` |
| dependencies.enabled | Option to enable or disable scanning of dependencies. | Optional | `true` |
| policies | List of policies separated by commas, such as "copyleft, undeclared". | Optional | `true` |
| policies.halt_on_failure | Halt check on policy failure. If set to false checks will not fail. | Optional | `true` |
| api.url | SCANOSS API URL | Optional | `https://osskb.org/api/scan/direct` |
| api.key | SCANOSS API Key token | Optional | - |
| **Parameter** | **Description** | **Required** | **Default** |
|--------------------------|------------------------------------------------------------------------------------|--------------|-------------------------------------|
| output.filepath | Scan output file name. | Optional | `results.json` |
| sbom.enabled | Enable or disable scanning based on the SBOM file | Optional | `true` |
| sbom.filepath | Filepath of the SBOM file to be used for scanning | Optional | `sbom.json` |
| sbom.type | Type of SBOM operation: either 'identify' or 'ignore | Optional | `identify` |
| dependencies.enabled | Option to enable or disable scanning of dependencies. | Optional | `true` |
| policies | List of policies separated by commas, options available are: copyleft, undeclared. | Optional | `true` |
| policies.halt_on_failure | Halt check on policy failure. If set to false checks will not fail. | Optional | `true` |
| api.url | SCANOSS API URL | Optional | `https://osskb.org/api/scan/direct` |
| api.key | SCANOSS API Key token | Optional | - |

### Action Output Parameters

Expand All @@ -73,8 +72,13 @@ the output into your custom workflow

## Policy Checks (wip)

Once the workflow is set up, the SCANOSS Scan action will execute checks using some "out of the box" policies. The
workflow will fail if any of the policies are not met.
The SCANOSS Scan action includes two configurable policies:

1. Copyleft: This policy checks if any component or code snippet is associated with a copyleft license. If such a
license is detected, the pull request (PR) is rejected.

2. Undeclared: This policy compares the components detected in the repository against those declared in an sbom.json
file (customizable through the sbom.filepath parameter). If there are undeclared components, the PR is rejected.

In this scenario, a classic policy is executed that will fail if copyleft licenses are found within the results:

Expand Down Expand Up @@ -114,14 +118,15 @@ jobs:
id: scanoss-scan-action
uses: scanoss/actions-scan@main
with:
github.token: ${{ secrets.GITHUB_TOKEN }}
policies: copyleft, undeclared #NOTE: undeclared policy requires a sbom.json in the project root
dependencies.enabled: true
# api-url: <YOUR_API_URL>
# api-key: <YOUR_API_KEY>
dependencies.enabled: true

- name: Print stdout scan command
run: echo "${{ steps.scanoss-scan-action.outputs.stdout-scan-command }}"

- name: Print Results
run: cat "${{ steps.scanoss-scan-action.outputs.result-filepath }}"
- name: Print stdout scan command
run: echo "${{ steps.scanoss-scan-action.outputs.stdout-scan-command }}"

- name: Print Results
run: cat "${{ steps.scanoss-scan-action.outputs.result-filepath }}"
```
Loading