A GitHub Action or a template for helping you using the powerful ORT (OSS Review Toolkit) to Analyse, Scan, Evaluate and Advise your code with ORT, with quite a lot of configuration options.
As an SBOM (Software-Bill-Of-Materials)-generator it might just work for you right anyway, as ORT supports many package managers and output formats.
As a deep code license scanner, you might need to configure more powerful runners.
Related siblings projects are:
- ORT CI Base - Containts base logic (scripts etc.) for running ORT in CI
- ORT CI GitLab - GitLab CI templates for running ORT in GitLab environments.
- [ORT CI Tekton] - To-Do
name: ORT CI Action
on: [push]
jobs:
ort_report_job:
runs-on: ubuntu-latest
name: Analyse with ORT
steps:
- name: Checkout
uses: actions/checkout@v3
with:
path: project
- name: ORT CI Action run
id: ort-ci-action
uses: YOUR_ORG/ort-ci-action@84fb404388a78fa8a2059470c6c38bec98c648f4
with:
ort_disable_scanner: true
ort_disable_downloader: true
ort_disable_evaluator: true
ort_disable_advisor: false
ort_cli_config_tmpl: "ort.conf.github.tmpl"
ort_config_file: ''
ort_log_level: info
ort_opts: -Xmx5120m //this is roughly current free GitHub runners level
- name: ort-action-artifacts
uses: actions/upload-artifact@v3
with:
name: analysis
path: ./project/ort-results
For further configuration options, see the variables configuration doc or, the action.yml itself.
In the given example we are using a few other actions:
-
checkout
- will checkout the current repo and put in under '$GITHUB_WORKSPACE/project' (the default expected repo location if nothing else configured). -
upload-artifact
- to make the analysed results become available after the CI pipeline has finished.
At the bottom of the workflow summary page, there is a dedicated section for artifacts. Here's a screenshot of something you might see:
Currently there is no official ORT Image (it will most likely be in the future). So until that - clone this repo and build your own:
- See the ort-ci-action/.github/workflows/ort-image-build.yml for how to build or just use as is.2) In action.yml: replace uses: docker://ghcr.io/janderssonse/ort-ci-action:latest to your builded image.
GitHub Actions does not support a private image here yet.
Scenario: I want to scan my pipelines with a regular Actions workflow yaml, maybe with a private image
Currently there is no official ORT Image available (it will most likely be in the future). So until that - build your own:
-
See the 'ort-ci-action/.github/workflows/ort-image-build.yml' for how to build or just use as is.
-
Have a look at the example in the 'ci-templates/ort-scan-flow.yml' and adjust it under your own workflow.
TO-DO
The project is using a few hygiene linters:
- MegaLinter - for shell, markdown etc check.
- Repolinter - for overall repostructre.
- commitlint - for conventional commit check.
- REUSE Compliance Check - for reuse specification compliance.
Before commiting a PR, please have run with this linters to avoid red checks. If forking on GitHub, you can adjust them to work for fork in the .github/workflow-files.
ORT CI Action follows the Contributor Covenant Code of Conduct.
Please also see the Contributor Guide
The Action is using ORT to run it's actions, which is under Apache Licenses and:
Copyright (C) 2020-2022 HERE Europe B.V.
ORT CI Action itself is is under
See .reuse/dep5 and file headers for further information. Most "scrap" files, textfiles etc are under CC0-1.0, essentially Public Domain.
Thanks to the ORT (OSS Review Toolkit) Project, for developing such a powerful tool. It fills a void in SCA-toolspace.
- TO-DO