Add ability to enable --fail-on-vulnerabilities for check-compliance (#16)

tdruez · web-flow · commit e46d127dfbe5 · 2025-06-26T17:22:03.000+04:00
Signed-off-by: tdruez &lt;tdruez@nexb.com&gt;
diff --git a/.github/workflows/find-vulnerabilities.yml b/.github/workflows/find-vulnerabilities.yml
@@ -17,5 +17,8 @@ jobs:
       - uses: ./
         with:
           pipelines: "scan_codebase,find_vulnerabilities"
+          scancodeio-repo-branch: "main"
+          check-compliance: true
+          compliance-fail-on-vulnerabilities: true
         env:
           VULNERABLECODE_URL: https://public.vulnerablecode.io/
diff --git a/README.md b/README.md
@@ -77,6 +77,11 @@ steps:
     # Failure level for compliance check. Options: ERROR, WARNING, MISSING.
     # Default is 'ERROR'
     compliance-fail-level:
+      
+    # Exit with a non-zero status if known vulnerabilities are detected in discovered 
+    # packages and dependencies.
+    # Default is false
+    compliance-fail-on-vulnerabilities:
 
     # Python version that will be installed to run ScanCode.io
     # Default is '3.12'
@@ -128,6 +133,23 @@ However, you also have the option to run your own VulnerableCode instance.
 For details on setting up and configuring your own instance, please refer to the 
 [VulnerableCode documentation](https://vulnerablecode.readthedocs.io/en/latest/index.html).
 
+#### Fail on known vulnerabilities
+
+When enabled, the workflow will fail if any known vulnerabilities are found in the 
+project's discovered packages or dependencies.
+Activate this behavior by enabling `check-compliance` and setting 
+`compliance-fail-on-vulnerabilities` to true.
+
+```yaml
+- uses: aboutcode-org/scancode-action@beta
+  with:
+    pipelines: "scan_codebase,find_vulnerabilities"
+    check-compliance: true
+    compliance-fail-on-vulnerabilities: true
+  env:
+    VULNERABLECODE_URL: https://public.vulnerablecode.io/
+```
+
 ### Choose the output formats
 
 ```yaml
diff --git a/action.yml b/action.yml
@@ -24,10 +24,18 @@ inputs:
     description: |
       Check for compliance issues in the project.
       Exits with a non-zero status if compliance issues are detected.
+    required: false
+    default: "false"
   compliance-fail-level:
     description: "Failure level for compliance check. Options: ERROR, WARNING, MISSING."
+    required: false
     default: "ERROR"
+  compliance-fail-on-vulnerabilities:
+    description: |
+      Exit with a non-zero status if known vulnerabilities are detected in discovered 
+      packages and dependencies.
     required: false
+    default: "false"
   python-version:
     description: "Python version."
     default: "3.12"
@@ -127,16 +135,23 @@ runs:
         --project ${{ inputs.project-name }} 
         --format ${{ inputs.output-formats }}
 
-    - name: Check compliance
-      if: inputs.check-compliance == 'true'
-      shell: bash
-      run: scanpipe check-compliance
-        --project ${{ inputs.project-name }}
-        --fail-level ${{ inputs.compliance-fail-level }}
-
     - name: Upload outputs
       uses: actions/upload-artifact@v4
       id: artifact-upload-step
       with:
         name: ${{ inputs.outputs-archive-name }}
         path: ${{ env.PROJECT_WORK_DIRECTORY }}/output/*
+
+    - name: Check compliance
+      if: inputs.check-compliance == 'true'
+      shell: bash
+      run: |
+        cmd="scanpipe check-compliance \
+          --project ${{ inputs.project-name }} \
+          --fail-level ${{ inputs.compliance-fail-level }}"
+
+        if [[ "${{ inputs.compliance-fail-on-vulnerabilities }}" == "true" ]]; then
+          cmd="$cmd --fail-on-vulnerabilities"
+        fi
+
+        eval "$cmd"
