action.yml

name: "OpenSCA Scan Action"
description: "Check your application for software supply chain risk using OpenSCA"
author: "Xmirror Security OpenSCA team"
branding:
  icon: "alert-triangle"
  color: "yellow"
inputs:
  token:
    description: "OpenSCA Personal Access Token"
    required: true
  proj:
    description: "The OpenSCA SaaS ProjectID to bind to"
    required: false
  out:
    description: "Report to upload to repository. Use ',' to separate, only reports in the 'outputs' directory will be uploaded."
    required: false
  need-artifact:
    description: "Whether to upload the log and reports to the repository"
    required: false
    default: "false"
runs:
  using: "composite"
  steps:
    - name: Execute OpenSCA Scan
      shell: bash
      run: |
        curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | bash
        export PATH=$PATH:/home/runner/.config/opensca-cli
        opensca-cli -path . -token ${{ inputs.token }} -proj "${{ inputs.proj }}" -out outputs/results.sarif,${{ inputs.out }}
    - name: "Upload artifacts"
      uses: "actions/upload-artifact@v4"
      if: ${{ inputs.need-artifact }} == "true"
      with:
        name: "OpenSCA-artifacts"
        path: |
          opensca.log
          outputs/
        if-no-files-found: warn
    - name: "Upload results to repository"
      uses: "github/codeql-action/upload-sarif@v3"
      with:
          sarif_file: outputs/results.sarif