{"id":20200750,"url":"https://github.com/xmirrorsecurity/opensca-scan-action","last_synced_at":"2025-03-03T08:43:49.132Z","repository":{"id":216431299,"uuid":"740948657","full_name":"XmirrorSecurity/opensca-scan-action","owner":"XmirrorSecurity","description":"Integrate OpenSCA-cli into your GitHub Action to assess the supply chain risks associated with your application.","archived":false,"fork":false,"pushed_at":"2024-01-16T09:24:06.000Z","size":609,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-01-13T20:15:21.235Z","etag":null,"topics":["code-analysis","software-composition-analysis","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/opensca-scan-action","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/XmirrorSecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2024-01-09T11:59:22.000Z","updated_at":"2024-08-29T10:54:48.000Z","dependencies_parsed_at":"2024-01-16T11:31:01.747Z","dependency_job_id":null,"html_url":"https://github.com/XmirrorSecurity/opensca-scan-action","commit_stats":null,"previous_names":["xmirrorsecurity/opensca-scan-action"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XmirrorSecurity%2Fopensca-scan-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XmirrorSecurity%2Fopensca-scan-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XmirrorSecurity%2Fopensca-scan-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XmirrorSecurity%2Fopensca-scan-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/XmirrorSecurity","download_url":"https://codeload.github.com/XmirrorSecurity/opensca-scan-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241637191,"owners_count":19994927,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-analysis","software-composition-analysis","supply-chain-security"],"created_at":"2024-11-14T04:45:33.037Z","updated_at":"2025-03-03T08:43:49.108Z","avatar_url":"https://github.com/XmirrorSecurity.png","language":null,"readme":"# OpenSCA Scan Action\u003c!-- omit in toc --\u003e\n\nThis action using [OpenSCA-cli](https://github.com/XmirrorSecurity/OpenSCA-cli) to check your application for software supply chain risk.\n\n- [Usage](#usage)\n- [Inputs](#inputs)\n- [Scenarios](#scenarios)\n  - [Bind to OpenSCA SaaS project](#bind-to-opensca-saas-project)\n  - [Save the scan log for troubleshooting](#save-the-scan-log-for-troubleshooting)\n  - [Upload log and reports to repository](#upload-log-and-reports-to-repository)\n- [Troubleshooting](#troubleshooting)\n  - [Permission denied](#permission-denied)\n  - [Where does the artifact go?](#where-does-the-artifact-go)\n\n\n# Usage\n\nsample workflow\n\n```yaml\non:\n  push:\n    branches:\n        - master\n        - main\n  pull_request:\n    branches:\n        - master\n        - main\n\njobs:\n  opensca-scan:\n    runs-on: ubuntu-latest\n    name: OpenSCA Scan\n    steps:\n      - name: Checkout your code\n        uses: actions/checkout@v4\n      - name: Run OpenSCA Scan\n        uses: XmirrorSecurity/opensca-scan-action@v1\n        with:\n          token: ${{ secrets.OPENSCA_TOKEN }}\n```\n\n\u003e You need create secrets `OPENSCA_TOKEN` first. [See here](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository)\n\nAfter finished scan, you can see the report in `Security/Code scanning` tab in your repository. \n\n![sarif result](/resources/sarif-result.jpg)\n\nYou can also view the full result in [OpenSCA SaaS](https://opensca.xmirror.cn/console), the url can be found in the action log.\n\n![action log](/resources/action-log.jpg)\n\n# Inputs\n\n| Name | Required | Description |\n| :---: | :---: | --- |\n| token | ✔ | OpenSCA auth token. [Get from here](https://opensca.xmirror.cn/console/auth-token) |\n| proj | ✖ | The OpenSCA SaaS projectID to bind to |  |\n| out | ✖ | Report to upload to repository. Use ',' to separate, only reports in the 'outputs' directory will be uploaded. |\n| need-artifact | ✖ | Whether to upload the log and reports to your workflow runs. Default: \"false\" |\n\n\u003e How to get the token? [See here]()\n\u003e \n\u003e How to get the projectID? [See here]()\n\n# Scenarios\n\n## Bind to OpenSCA SaaS project\n\n```yaml\n- name: Run OpenSCA Scan\n  uses: XmirrorSecurity/opensca-scan-action@v1\n  with:\n    token: ${{ secrets.OPENSCA_TOKEN }}\n    proj: ${{ secrets.OPENSCA_PROJECT_ID }}\n```\n\n## Save the scan log for troubleshooting\n\n```yaml\n- name: Run OpenSCA Scan\n  uses: XmirrorSecurity/opensca-scan-action@v1\n  with:\n    token: ${{ secrets.OPENSCA_TOKEN }}\n    need-artifact: \"true\"\n```\n\n## Upload log and reports to repository\n\n```yaml\n- name: Run OpenSCA Scan\n  uses: XmirrorSecurity/opensca-scan-action@v1\n  with:\n    token: ${{ secrets.OPENSCA_TOKEN }}\n    out: \"outputs/result.json,outputs/result.html\"\n    need-artifact: \"true\"\n```\n\n\u003e Note: Only reports in the 'outputs' directory will be uploaded.\n\n# Troubleshooting\n\nIf you have any questions, please free to create an issue.\n\n## Permission denied\n\nIf the action run failed with permission denied error, you may need to check the permission of the action.\n\nGo to `Settings` -\u003e `Actions` -\u003e `General`, in the `Workflow permissions` section, check \"Read and write permissions\", then click \"Save\".\n\n## Where does the artifact go?\n\nAt the bottom of the workflow summary page, there is a dedicated section for artifacts. Here's a screenshot of something you might see:\n\n![artifacts](/resources/artifacts.jpg)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxmirrorsecurity%2Fopensca-scan-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxmirrorsecurity%2Fopensca-scan-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxmirrorsecurity%2Fopensca-scan-action/lists"}