Skip to main content
The SCANOSS Code Scan Action enhances your software development process by automatically scanning code for open source components, security vulnerabilities and license compliance. It integrates seamlessly into GitHub workflows with configurable policies and comprehensive reporting.

Prerequisites

Before you begin, make sure you have:
  • An existing GitHub repository
  • A valid SCANOSS API key

Getting Started

Configure GitHub Secrets

Navigate to your GitHub repository and add the following secrets: Settings → Secrets and variables → Actions → New repository secret
Variable NameValue
SCANOSS_API_KEYxyz789…

Create Workflow File

Create .github/workflows/scanoss.yml in your repository: 
name: SCANOSS Code Scan

on:
  push:
    branches:
      - "main"
  pull_request:
    branches:
      - "*"

permissions:
  contents: write
  pull-requests: write
  checks: write
  actions: read

jobs:
  scanoss-analysis:
    name: SCANOSS Analysis
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run SCANOSS scan
        id: scanoss-code-scan-step
        uses: scanoss/code-scan-action@v1
        with:
          policies: undeclared
          api.key: ${{ secrets.SCANOSS_API_KEY }}

Commit and Push

git add .github/workflows/scanoss.yml
git commit -m "Add SCANOSS snippet detection"
git push
The workflow will automatically run on the next push or pull request.

Understanding Results

GitHub Actions Summary

After the scan completes, view results directly in the Actions tab:
  1. Navigate to Actions in your repository
  2. Select the latest workflow run
  3. Review the Annotations section to see detected snippets and matches
SCANOSS Job Summary
  1. Click View detailed comments on commit to examine individual file matches with detailed comparison
SCANOSS Snippet Comments

Resolving Undeclared Components

When undeclared components are detected, SCANOSS provides an easy resolution path:
  1. Navigate to the failed Policy Check: Undeclared to see which components need declaration
  2. If scanoss.json doesn’t exist in your repository, click Create scanoss.json file to generate it automatically
  3. Review the pre-populated component list and click Commit Changes
SCANOSS Policy Check
  1. The new commit automatically triggers a rescan, which will pass the undeclared policy check.
SCANOSS Policy Pass The scanoss.json file serves as your project’s component declaration, ensuring your team has visibility into all open source code used in your repository. Keep this file updated as you add or remove dependencies to maintain accurate compliance tracking.