https://github.com/scanoss/integration-github-actions

https://github.com/scanoss/integration-github-actions

Last synced: 5 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/scanoss/integration-github-actions
• Owner: scanoss
• Created: 2024-01-18T13:05:20.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2025-03-11T14:05:47.000Z (over 1 year ago)
• Last Synced: 2025-03-11T15:23:20.402Z (over 1 year ago)
• Language: TypeScript
• Size: 188 KB
• Stars: 0
• Watchers: 3
• Forks: 1
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# SCANOSS GitHub Action Usage Example

This repository serves as an example to demonstrate how to use the [SCANOSS GitHub Action](https://github.com/scanoss/actions-scan/) for license management in your projects. SCANOSS provides two predefined policies for scanning: `copyleft` and `undeclared`.

## Overview

The repository is structured into two branches to showcase different scenarios:

- [`main`](https://github.com/scanoss/integration-github-actions/tree/main): Demonstrates a scenario where the codebase comply with the policies:

    - No copyleft licenses are found within the codebase.

    - All components are correctly declared in the [`sbom.json`](sbom.json) file. 

- [`policy/violations`](https://github.com/scanoss/integration-github-actions/tree/policy/violations): Illustrates the case where the codebase does not comply with the policies. You can find the failing PR [here](https://github.com/scanoss/integration-github-actions/pull/14).

    - Introduction of copyleft licenses.

    - Usage of components that are not declared in the `sbom.json`. 

  

## Policies in Detail

- **Copyleft**: This policy scans your code for copyleft licenses. If no copyleft licenses are identified, the check passes. Otherwise, it fails, indicating non-compliance.

- **Undeclared**: Requires the explicit declaration of all utilized components within a `sbom.json` file. Failure to declare any component results in a failed check, highlighting undeclared usage.

## How to Use This Action in Your Project

To use the SCANOSS GitHub Action in your project, you can add a workflow file under `.github/workflows` with the following basic setup:

```yaml

name: Example SCANOSS Action

on:

  pull_request:

    branches:

      - main

  push:

    branches:

      - main

permissions:

  contents: read

  pull-requests: write

  checks: write

jobs:

  scanoss-analysis:

    name: SCANOSS Analysis

    runs-on: ubuntu-latest

    steps:

      - name: Checkout code

        id: checkout

        uses: actions/checkout@v4

      - name: Run SCANOSS analysis

        id: scan

        uses: scanoss/actions-scan@v0

        with:

          policies: copyleft, undeclared

```