Skip to content

Find license compliance and security issues in your applications with FOSSA and GitHub Actions.

License

Notifications You must be signed in to change notification settings

fossas/fossa-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

88bec1f · Apr 8, 2022

History

26 Commits
Mar 18, 2021
Nov 15, 2021
Nov 15, 2021
Mar 17, 2021
Aug 10, 2021
Mar 18, 2021
Jan 11, 2022
Apr 8, 2022
Mar 24, 2021
Mar 17, 2021
Mar 24, 2021

Repository files navigation

FOSSA Action

FOSSA Status FOSSA Action

Find license compliance and security issues in your applications with FOSSA in Github Actions, using latest FOSSA CLI.

About FOSSA

  • Developer focused open source license and security compliance
  • The most in-depth and insightful visibility into your third-party dependencies.
  • Secure your open source code with accurate vulnerability detection and continuous integration

About FOSSA Action

FOSSA Action provides an easy to use entry point to using FOSSA in your github workflow. This github action will run FOSSA CLI in your github workflows with, at minimum, an API key. Below you can find input documentation and examples.

FOSSA Action will run on any linux runner or on a MacOS runner. Note: In order to use container scanning, a running docker daemon is required - unfortunately Github's MacOS runner does not provide docker.

Windows is not currently supported.

Versioning

Please note: Versioning of this action does not correspond to the version of FOSSA CLI. This Action will always use the latest version of FOSSA CLI found here.

Inputs

api-key

Required Your FOSSA API key Example

jobs:
  fossa-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}

run-tests

Optional If set to true FOSSA will run the fossa test command.

If not set or set to false FOSSA will run normal scan behavior. In order to run tests, a scan must first be completed. Example

jobs:
  fossa-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}
          run-tests: true

container

Optional A container name or OCI image path. Set to use FOSSA's container scanning functionality. This will run fossa container analyze (default behavior) and fossa container test (if used in combination with run-tests).

If not set FOSSA will run normal scan behavior. Example

jobs:
  fossa-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}
          container: ubuntu:20.04

endpoint

Optional Endpoint passed to FOSSA CLI. Defaults to app.fossa.com. Read more.

Example

jobs:
  fossa-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}
          endpoint: fossa.my-company.com

Examples

We've provided a few examples of how to use FOSSA's Github Action in your own project. These examples use an API key stored as a Github secret environment variable fossaAPiKey.

Running a scan

This runs a basic FOSSA scan using FOSSA CLI on a your checked out project.

jobs:
  fossa-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}

Running tests

This run fossa tests after doing an initial scan.

jobs:
  fossa-scan:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout Code"
        uses: actions/checkout@v2

      - name: "Run FOSSA Scan"
        uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}

      - name: "Run FOSSA Test"
        uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}
          run-tests: true

Running Container Scanning

Running container scanning is extremely similar to running FOSSA with a traditional project. This example runs a scan then runs tests. ubuntu:20.14 can be replaced with your newly build docker or OCI image.

jobs:
  fossa-scan:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout Code"
        uses: actions/checkout@v2

      - name: "Run FOSSA Scan"
        uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}
          container: ubuntu:20.04

      - name: "Run FOSSA Test"
        uses: fossas/fossa-action@main # Use a specific version if locking is preferred
        with:
          api-key: ${{secrets.fossaApiKey}}
          container: ubuntu:20.04
          run-tests: true

About

Find license compliance and security issues in your applications with FOSSA and GitHub Actions.

Resources

License

Stars

Watchers

Forks

Packages

No packages published