SCANOSS Code Scan Task
The SCANOSS Code Scan task enhances your software development process by automatically scanning your code for security vulnerabilities and license compliance with configurable policies.
Usage
Before using the SCANOSS Code Scan Task, you need to install it from the Azure Marketplace. You can find it here.
Set Up
The SCANOSS Code Scan Task uses the Azure API to create Checks and Comments on Pull Requests. Once the pipeline is available upstream, ensure you have the correct permissions set up on your repository:
Open the repository settings section:
- Project Settings
- Repositories
- Select the repository
A) Allow Pull Request Contribute Access:
- Open the 'Security' tab.
- Select the repository Build Service account under the 'Users' group.
- Allow "Contribute to pull requests".
B) Add Build Validation Policy to the integration branch:
- Open the 'Policies' tab.
- Select the integration branch under 'Branch Policies'.
- Add a new Build Validation Policy, configure the options, and save:
- Build Pipeline: Select your pipeline.
- Trigger: Automatic.
- Policy Requirement: Select your option.
- Build Expiration: Select your option.
- Set a display name.
Azure agent jobs
If an Azure Agent Job is being run, ensure that the 'Allow scripts to access OAuth token' option is enabled. The SCANOSS Code Scan Task requires access to the System Access token to push the results to the PR.
Pipeline
A basic pipeline should be set and the SCANOSS task should be included within it:
trigger: none
pr:
- main
pool:
vmImage: ubuntu-latest
##schedules:
## - cron: "*/5 * * * *" # Every 5 minutes
## displayName: "Run every 5 minutes"
## always: true # Ensures the pipeline runs even if there are no code changes
## branches:
## include:
## - main # Specify the branch(es) to trigger the schedule on
variables:
HTTP_PROXY: $(HTTP_PROXY_URL)
HTTPS_PROXY: $(HTTPS_PROXY_URL)
steps:
- checkout: self
persistCredentials: true
- task: scanoss@0
displayName: "SCANOSS Code Scan"
inputs:
# apiKey: $(APIKEY)
# apiUrl: 'https://api.scanoss.com/scan/direct'
sbomFilepath: SBOM.json
policies: copyleft,undeclared
policiesHaltOnFailure: false
dependenciesEnabled: true
dependenciesScope: prod
licensesCopyleftInclude: AGPL-1.0-or-later, AGPL-1.0-only
NOTE:
Minor versions can be set by specifying the full version number of a task after the @ sign (example: scanoss@0.1.1). For further details, please refer to the task version.
3. Proxy Configuration
If your pipeline is running behind a proxy, add the following configuration to the pipeline:
variables:
HTTP_PROXY: http://your-proxy:8080
HTTPS_PROXY: http://your-proxy:8080
...
inputs:
runtimeContainer: '<self_hosted_registry>/scanoss-py:v1.15.0'
Inside the SCANOSS task add the runtimeContainer input with the address of your internal Docker registry.
Pipeline Triggers
In addition to being triggered by pull requests (PRs), pipelines can also be run manually and scheduled to execute at regular intervals.
When the pipeline is manually triggered or runs on a schedule, the results are uploaded only to the run artifacts.
| Parameter |
Description |
Required |
Default |
| outputFilepath |
Scan output file name. |
Optional |
results.json |
| sbomEnabled |
Enable or disable scanning based on the SBOM file |
Optional |
true |
| sbomFilepath |
Filepath of the SBOM file to be used for scanning |
Optional |
sbom.json |
| sbomType |
Type of SBOM operation: either 'identify' or 'ignore |
Optional |
identify |
| dependenciesEnabled |
Option to enable or disable scanning of dependencies. |
Optional |
false |
| dependenciesScope |
Gets development or production dependencies (scopes: dev - prod ) |
Optional |
- |
| dependenciesScopeInclude |
Custom list of dependency scopes to be included. Provide scopes as a comma-separated list. |
Optional |
- |
| dependenciesScopeExclude |
Custom list of dependency scopes to be excluded. Provide scopes as a comma-separated list. |
Optional |
- |
| policies |
List of policies separated by commas, options available are: copyleft, undeclared. |
Optional |
- |
| policiesHaltOnFailure |
Halt check on policy failure. If set to false checks will not fail. |
Optional |
true |
| apiUrl |
SCANOSS API URL |
Optional |
https://api.osskb.org/scan/direct |
| apiKey |
SCANOSS API Key |
Optional |
- |
| runtimeContainer |
Runtime URL |
Optional |
ghcr.io/scanoss/scanoss-py:v1.18.0 |
| licensesCopyleftInclude |
List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list. |
Optional |
- |
| licensesCopyleftExclude |
List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list. |
Optional |
- |
| licensesCopyleftExplicit |
Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list. |
Optional |
- |
| skipSnippets |
Skip the generation of snippets. (scan_files option must be enabled) |
Optional |
false |
| scanFiles |
Enable or disable file and snippet scanning |
Optional |
true |
| scanossSettings |
Settings file to use for scanning. See the SCANOSS settings documentation |
Optional |
true |
| settingsFilepath |
Filepath of the SCANOSS settings to be used for scanning |
Optional |
scanoss.json |
Policy Checks
The SCANOSS Code Scan Task includes two configurable policies:
Copyleft: This policy checks if any component or code snippet is associated with a copyleft license. If such a
license is detected, the pull request (PR) is rejected. The default list of Copyleft licenses is defined in the following file.
Undeclared: This policy compares the components detected in the repository against those declared in the sbom.json
file (customizable through the sbom.filepath parameter). If there are undeclared components, the PR is rejected.
Additionally, if it is a Pull Request, a comment with a summary of the report will be automatically generated.
Artifacts
The scan results and policy check outcomes are uploaded to the artifacts folder of the specific run of the pipeline.
Example Repository
An example use case can be found at the following link.
