GitHub Action
OpenSCA Scan Action
This action using OpenSCA-cli to check your application for software supply chain risk.
sample workflow
on:
push:
branches:
- master
- main
pull_request:
branches:
- master
- main
jobs:
opensca-scan:
runs-on: ubuntu-latest
name: OpenSCA Scan
steps:
- name: Checkout your code
uses: actions/checkout@v4
- name: Run OpenSCA Scan
uses: XmirrorSecurity/opensca-scan-action@v1
with:
token: ${{ secrets.OPENSCA_TOKEN }}You need create secrets
OPENSCA_TOKENfirst. See here
After finished scan, you can see the report in Security/Code scanning tab in your repository.
You can also view the full result in OpenSCA SaaS, the url can be found in the action log.
| Name | Required | Description |
|---|---|---|
| token | ✔ | OpenSCA auth token. Get from here |
| proj | ✖ | The OpenSCA SaaS projectID to bind to |
| out | ✖ | Report to upload to repository. Use ',' to separate, only reports in the 'outputs' directory will be uploaded. |
| need-artifact | ✖ | Whether to upload the log and reports to your workflow runs. Default: "false" |
How to get the token? See here
How to get the projectID? See here
- name: Run OpenSCA Scan
uses: XmirrorSecurity/opensca-scan-action@v1
with:
token: ${{ secrets.OPENSCA_TOKEN }}
proj: ${{ secrets.OPENSCA_PROJECT_ID }}- name: Run OpenSCA Scan
uses: XmirrorSecurity/opensca-scan-action@v1
with:
token: ${{ secrets.OPENSCA_TOKEN }}
need-artifact: "true"- name: Run OpenSCA Scan
uses: XmirrorSecurity/opensca-scan-action@v1
with:
token: ${{ secrets.OPENSCA_TOKEN }}
out: "outputs/result.json,outputs/result.html"
need-artifact: "true"Note: Only reports in the 'outputs' directory will be uploaded.
If you have any questions, please free to create an issue.
If the action run failed with permission denied error, you may need to check the permission of the action.
Go to Settings -> Actions -> General, in the Workflow permissions section, check "Read and write permissions", then click "Save".
At the bottom of the workflow summary page, there is a dedicated section for artifacts. Here's a screenshot of something you might see:
