1- name : Generate SBOM with ORT and load into ScanCode.io
1+ name : Generate or load SBOMs from ORT into ScanCode.io
22
33# This workflow:
4- # 1. Generates a CycloneDX SBOM for a requirement.txt file using ORT.
5- # 2. Uploads the SBOM as a GitHub artifact for future inspection.
4+ # 1. Generates CycloneDX and SPDX SBOM with ORT
5+ # 2. Loads ORT SBOM test assets
66# 3. Loads the SBOM into ScanCode.io for further analysis.
77# 4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
88#
1717permissions :
1818 contents : read
1919
20- env :
21- EXPECTED_PACKAGE : 5
22- EXPECTED_VULNERABLE_PACKAGE : 1
23- EXPECTED_DEPENDENCY : 1
24-
2520jobs :
26- generate-and-load-sbom :
21+ checkout-ort-test-assets-from-scancode-io-repo :
22+ runs-on : ubuntu-24.04
23+ steps :
24+ - name : Checkout ScanCode.io repository
25+ uses : actions/checkout@v5
26+
27+ - name : Upload orthw mime types example
28+ uses : actions/upload-artifact@v4
29+ with :
30+ name : npm-mime-types-2.1.26-scan-result.json
31+ path : scanpipe/tests/data/integrations-ort/orthw-example-scan-result/npm-mime-types-2.1.26-scan-result.json
32+ overwrite : true
33+ retention-days : 1
34+
35+ generate-python-cyclonedx-1-5-sbom-with-ort-load-into-scancode-io :
36+ runs-on : ubuntu-24.04
37+ steps :
38+ - name : Create a Python requirements.txt
39+ run : |
40+ cat << 'EOF' > requirements.txt
41+ click==6.7
42+ Flask==1.0
43+ itsdangerous==0.24
44+ EOF
45+
46+ name : Run GitHub Action for ORT
47+ uses : oss-review-toolkit/ort-ci-github-action@v1
48+ with :
49+ ort-cli-report-args : " -O CycloneDX=output.file.formats=json -O CycloneDX=schema.version=1.5"
50+ report-formats : " CycloneDx"
51+ run : >
52+ analyzer,
53+ evaluator,
54+ advisor,
55+ reporter
56+
57+ name : Import SBOM into ScanCode.io
58+ uses : aboutcode-org/scancode-action@main
59+ with :
60+ pipelines : " load_sbom"
61+ inputs-path : " ${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json"
62+ scancodeio-repo-branch : " main"
63+
64+ - name : Verify SBOM analysis results in ScanCode.io
65+ shell : bash
66+ run : |
67+ scanpipe verify-project \
68+ --project scancode-action \
69+ --packages 6 \
70+ --vulnerable-packages 1 \
71+ --dependencies 5
72+
73+ generate-python-cyclonedx-1-6-sbom-with-ort-load-into-scancode-io :
2774 runs-on : ubuntu-24.04
2875 steps :
2976 - name : Create a Python requirements.txt
3784
3885name : Run GitHub Action for ORT
3986 uses : oss-review-toolkit/ort-ci-github-action@v1
87+ with :
88+ ort-cli-report-args : " -O CycloneDX=output.file.formats=json -O CycloneDX=schema.version=1.6"
89+ report-formats : " CycloneDx"
90+ run : >
91+ analyzer,
92+ evaluator,
93+ advisor,
94+ reporter
4095
4196name : Import SBOM into ScanCode.io
4297 uses : aboutcode-org/scancode-action@main
@@ -45,11 +100,152 @@ jobs:
45100 inputs-path : " ${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json"
46101 scancodeio-repo-branch : " main"
47102
48- - name : Verify SBOM Analysis Results in ScanCode.io
103+ - name : Verify SBOM analysis results in ScanCode.io
104+ shell : bash
105+ run : |
106+ scanpipe verify-project \
107+ --project scancode-action \
108+ --packages 5 \
109+ --vulnerable-packages 1 \
110+ --dependencies 1
111+
112+ generate-mime-types-sboms-from-ort-from-scan-result :
113+ needs : checkout-ort-test-assets-from-scancode-io-repo
114+ runs-on : ubuntu-24.04
115+ steps :
116+ - name : Download mime-type-2.1.26-scan-result file
117+ uses : actions/download-artifact@v5
118+ with :
119+ name : npm-mime-types-2.1.26-scan-result.json
120+
121+ - name : Move mime-types scan result expected location by GitHub Action for ORT
122+ run : |
123+ mkdir -p $HOME/.ort/ort-results/
124+ mv npm-mime-types-2.1.26-scan-result.json \
125+ $HOME/.ort/ort-results/current-result.json
126+ cat $HOME/.ort/ort-results/current-result.json
127+
128+ name : Run GitHub Action for ORT
129+ uses : oss-review-toolkit/ort-ci-github-action@v1
130+ with :
131+ report-formats : " CycloneDx,SpdxDocument"
132+ run : >
133+ evaluator,
134+ advisor,
135+ reporter
136+ - name: Upload orthw mime type example
137+
138+ uses : actions/upload-artifact@v4
139+ with :
140+ name : npm-mime-types-2.1.26-ort-sboms
141+ path : |
142+ ${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json
143+ ${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.xml
144+ ${{ env.ORT_RESULTS_PATH }}/bom.spdx.json
145+ ${{ env.ORT_RESULTS_PATH }}/bom.spdx.yml
146+ overwrite : true
147+ retention-days : 1
148+
149+ load-ort-mime-types-cyclonedx-json-sbom-into-scancode-io :
150+ needs : generate-mime-types-sboms-from-ort-from-scan-result
151+ runs-on : ubuntu-24.04
152+ steps :
153+ - name : Download ORT CycloneDX JSON SBOM for mime-types 2.1.26
154+ uses : actions/download-artifact@v5
155+ with :
156+ name : npm-mime-types-2.1.26-ort-sboms
157+
158+ - name : Import SBOM into ScanCode.io
159+ uses : aboutcode-org/scancode-action@main
160+ with :
161+ pipelines : " load_sbom"
162+ inputs-path : " bom.cyclonedx.json"
163+ output-formats : " cyclonedx"
164+ scancodeio-repo-branch : " main"
165+
166+ - name : Verify SBOM analysis results in ScanCode.io
167+ shell : bash
168+ run : |
169+ scanpipe verify-project \
170+ --project scancode-action \
171+ --packages 380 \
172+ --vulnerable-packages 1 \
173+ --dependencies 628
174+
175+ load-ort-mime-types-cyclonedx-xml-sbom-into-scancode-io :
176+ needs : generate-mime-types-sboms-from-ort-from-scan-result
177+ runs-on : ubuntu-24.04
178+ steps :
179+ - name : Download ORT CycloneDX JSON SBOM for mime-types 2.1.26
180+ uses : actions/download-artifact@v5
181+ with :
182+ name : npm-mime-types-2.1.26-ort-sboms
183+
184+ - name : Import SBOM into ScanCode.io
185+ uses : aboutcode-org/scancode-action@main
186+ with :
187+ pipelines : " load_sbom"
188+ inputs-path : " bom.cyclonedx.xml"
189+ output-formats : " cyclonedx"
190+ scancodeio-repo-branch : " main"
191+
192+ - name : Verify SBOM analysis results in ScanCode.io
193+ shell : bash
194+ run : |
195+ scanpipe verify-project \
196+ --project scancode-action \
197+ --packages 380 \
198+ --vulnerable-packages 17 \
199+ --dependencies 628
200+
201+ load-mime-types-spdx-json-sbom-into-scancode-io :
202+ needs : generate-mime-types-sboms-from-ort-from-scan-result
203+ runs-on : ubuntu-24.04
204+ steps :
205+ - name : Download ORT SPDX JSON SBOM for mime-types 2.1.26
206+ uses : actions/download-artifact@v5
207+ with :
208+ name : npm-mime-types-2.1.26-ort-sboms
209+
210+ - name : Import SBOM into ScanCode.io
211+ uses : aboutcode-org/scancode-action@main
212+ with :
213+ pipelines : " load_sbom"
214+ inputs-path : " bom.spdx.json"
215+ output-formats : " spdx"
216+ scancodeio-repo-branch : " main"
217+
218+ - name : Verify SBOM analysis results in ScanCode.io
219+ shell : bash
220+ run : |
221+ scanpipe verify-project \
222+ --project scancode-action \
223+ --packages 1141 \
224+ --vulnerable-packages 0 \
225+ --dependencies 1397
226+
227+ load-mime-types-spdx-yml-sbom-into-scancode-io :
228+ needs : generate-mime-types-sboms-from-ort-from-scan-result
229+ runs-on : ubuntu-24.04
230+ steps :
231+ - name : Download ORT SPDX YAML SBOM for mime-types 2.1.26
232+ uses : actions/download-artifact@v5
233+ with :
234+ name : npm-mime-types-2.1.26-ort-sboms
235+
236+ - name : Import SBOM into ScanCode.io
237+ uses : aboutcode-org/scancode-action@main
238+ with :
239+ pipelines : " load_sbom"
240+ inputs-path : " bom.spdx.yml"
241+ output-formats : " spdx"
242+ scancodeio-repo-branch : " main"
243+
244+ - name : Verify SBOM analysis results in ScanCode.io
49245 shell : bash
50246 run : |
51247 scanpipe verify-project \
52248 --project scancode-action \
53- --packages ${{ env.EXPECTED_PACKAGE }} \
54- --vulnerable-packages ${{ env.EXPECTED_VULNERABLE_PACKAGE }} \
55- --dependencies ${{ env.EXPECTED_DEPENDENCY }}
249+ --packages 1141 \
250+ --vulnerable-packages 0 \
251+ --dependencies 1397
0 commit comments