Skip to main content
New to SCANOSS with GitHub Actions? Watch this overview before proceeding with the configuration below.

Prerequisites

Before setting up the integration, ensure you have:

GitHub Secrets Configuration

To securely store your API keys and configuration, add them as GitHub repository secrets.
  1. Go to your GitHub repository.
  2. Click SettingsSecrets and variablesActions.
  3. Click New repository secret.

Add Required Secrets

Add each of the following secrets:
Secret NameDescriptionExample
DT_API_KEYDependency Track API keyabc123...
DT_SERVER_URLDependency Track base URLhttps://your-dependencytrack-url.com
SCANOSS_API_KEYSCANOSS API keyxyz789...
Optional Secret:
Secret NameDescriptionExampleWhen to Use
SCANOSS_URLSCANOSS API endpointhttps://api.scanoss.comRequired only when using a self-hosted SCANOSS
instance instead of the SCANOSS SaaS (Software as a Service) offering

GitHub Actions Workflow

Create Workflow Directory

If the .github/workflows directory does not already exist in your repository, create it now: 
your-project/
└── .github/
    └── workflows/

Create Workflow File

Create a workflow file at .github/workflows/scanoss-monitoring.yml. This workflow uses the SCANOSS Code Scan GitHub Action to analyse your repository, generate licence and dependency insights, and upload the results to Dependency Track for continuous monitoring. Add the following configuration to your workflow file: 
name: SCANOSS with Dependency Track

on:
  push:
    branches:
      - "main"
  pull_request:
    branches:
      - "*"

permissions:
  contents: read
  pull-requests: write
  checks: write
  actions: read

jobs:
  scanoss-code-scan:
    name: SCANOSS Code Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run SCANOSS Code Scan
        id: scanoss-code-scan-step
        uses: scanoss/code-scan-action@v1
        with:
          policies: copyleft, undeclared, dt
          scanMode: "full"
          dependencies.enabled: true
          deptrack.upload: true
          deptrack.url: ${{ secrets.DT_SERVER_URL }}
          deptrack.apikey: ${{ secrets.DT_API_KEY }}
          deptrack.projectname: "my-project"
          deptrack.projectversion: "1.0.0"
          api.key: ${{ secrets.SCANOSS_API_KEY }}
          # api.url — required only if not using SCANOSS in SaaS mode
          # api.url: ${{ secrets.SCANOSS_URL }}

      - name: Print scan command
        # Outputs the CLI command used to invoke the scan, useful for debugging
        run: echo "${{ steps.scanoss-code-scan-step.outputs.stdout-scan-command }}"

      - name: Print results
        run: cat "${{ steps.scanoss-code-scan-step.outputs.result-filepath }}"

Workflow Configuration Options

Event Triggers

The workflow is configured to run on:
  • Push to main branch: Triggers on commits to the main branch.
  • Pull requests: Triggers on all pull requests targeting any branch.
You can customise these triggers as follows: 
on:
  push:
    branches:
      - "main"
      - "develop"
  pull_request:
    branches:
      - "main"
  schedule:
    - cron: "0 0 * * 0" # Weekly on Sunday at midnight

Permissions

The workflow requires the following permissions:
PermissionLevelPurpose
contentsreadRead repository contents
pull-requestswritePost scan result comments on pull requests
checkswriteCreate check runs with scan status
actionsreadRead workflow run information

SCANOSS Code Scan Action Parameters

ParameterDescriptionRequiredDefault
policiesPolicies to enforce (copyleft, undeclared, dt)NoNone
scanModeScan mode: full or incrementalNofull
dependencies.enabledEnable dependency analysisNofalse
deptrack.uploadUpload SBOM to Dependency TrackNofalse
deptrack.urlDependency Track server URLYes*None
deptrack.apikeyDependency Track API keyYes*None
deptrack.projectnameProject name in Dependency TrackYes*None
deptrack.projectversionProject version in Dependency TrackYes*None
api.keySCANOSS API keyNoNone
api.urlSCANOSS API URL (for self-hosted instances only)NoSaaS
* Note: These parameters are required when deptrack.upload is set to true.
SBOM (Software Bill of Materials) refers to the structured list of components, licences, and dependencies identified during a scan. It is the artefact uploaded to Dependency Track.

Customising Project Information

Update the project name and version to match your project: 
deptrack.projectname: "your-project-name"
deptrack.projectversion: "1.0.0"
You can use GitHub context variables for dynamic versioning: 
deptrack.projectname: "${{ github.repository }}"
deptrack.projectversion: "${{ github.ref_name }}"

Commit and Push Workflow

Once you have created the workflow file, commit and push it to your repository: 
# Stage the workflow file
git add .github/workflows/scanoss-monitoring.yml

# Commit the workflow
git commit -m "Add SCANOSS continuous monitoring workflow"

# Push to your repository
git push origin main

Monitoring Workflow Execution

View Workflow Runs

  1. Go to your GitHub repository.
  2. Click the Actions tab.
  3. Select the SCANOSS with Dependency Track workflow.
  4. View the list of workflow runs.

Workflow Execution Steps

Each workflow run includes the following steps:
  1. Checkout code — Clones the repository into the runner environment.
  2. Run SCANOSS Code Scan — Executes the scan and uploads results to Dependency Track.
  3. Print scan command — Outputs the CLI command used during the scan, useful for debugging.
  4. Print results — Outputs the raw scan results to the workflow log.

Understanding the Pipeline Summary

After the workflow completes, navigate to the Summary page to review results. The summary page contains the following sections:

Scan Report

Displays a breakdown of all detected licences:
  • Pie chart visualisation of licence distribution
  • Detailed table showing each licence name
  • Copyleft indicators
  • Reference URLs for licence information

Policies

Summarises the results of compliance policy checks:
  • Copyleft policy results
  • Undeclared components policy results
  • Dependency Track policy results
  • Option to expand each policy for further detail

Details

Shows upload status information:
  • Confirmation that scan results were uploaded to Dependency Track
  • Direct link to the project in Dependency Track
  • Upload timestamp and status

Annotations

Lists events captured during workflow execution:
  • Errors, warnings, or notices generated during the run
  • Context for issues such as failed pull request comments
  • Flagged code snippets or components

Artefacts

Lists all files produced during the run:
  • Scan reports
  • Policy results
  • SBOM exports (CycloneDX, SPDX)
  • All artefacts are available for download for further review

Accessing Dependency Track

Open Your Project

Once the scan completes and results are uploaded to Dependency Track:
  1. Go to the workflow run summary.
  2. Find the Details section.
  3. Click the View Project link.
status-check This opens the project directly in the Dependency Track dashboard. dependency-track

Dashboard Overview

The Dependency Track dashboard provides the following views for your project:
  • Components: Full inventory of components with licences, versions, and risk scores.
  • Dependency Graph: Visual representation of dependency relationships.
  • Audit Vulnerabilities: Security vulnerabilities identified and requiring attention.
  • Policy Violations: Active policy breaches requiring review.

Troubleshooting

Common Issues

Workflow Fails with Authentication Error

Problem: 401 Unauthorized or 403 Forbidden errors. Solution:
  • Verify that your API keys are correct.
  • Check that secrets are properly configured in GitHub.
  • Ensure the Dependency Track team has the required API access permissions.

SBOM Upload Fails

Problem: Upload to Dependency Track fails or times out. Solution:
  • Verify that DT_SERVER_URL is correct and reachable from GitHub Actions.
  • Check that your Dependency Track instance is running.
  • Ensure that firewall rules permit inbound connections from GitHub Actions.
  • Verify that the API key has project creation permissions.

Scan Results Not Appearing

Problem: Workflow completes successfully but no data appears in Dependency Track. Solution:
  • Confirm that deptrack.upload: true is set in your workflow configuration.
  • Verify that the project name and version are correct.
  • Review Dependency Track logs for import errors.
  • Confirm that the SBOM format is supported (CycloneDX or SPDX).

Debug Mode

Enable debug logging by adding debug: true to the scan step: 
- name: Run SCANOSS Code Scan
  id: scanoss-code-scan-step
  uses: scanoss/code-scan-action@v1
  with:
    # ... other parameters ...
    debug: true
For detailed usage instructions, see the Usage Examples section.