> ## Documentation Index > Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt > Use this file to discover all available pages before exploring further. # GitHub Actions > Automate software composition analysis in your CI/CD pipeline with the SCANOSS GitHub Action. The [SCANOSS Code Scan Action](https://github.com/scanoss/gha-code-scan) enhances your software development process by automatically scanning code for open source components, security vulnerabilities and license compliance. It integrates seamlessly into GitHub workflows with configurable policies and comprehensive reporting. ## Prerequisites Before you begin, make sure you have: * An existing GitHub repository * A valid SCANOSS API key ## Getting Started ### Configure GitHub Secrets Navigate to your GitHub repository and add the following secrets: **Settings → Secrets and variables → Actions → New repository secret** | Variable Name | Value | | ----------------- | --------- | | SCANOSS\_API\_KEY | xyz789... | ### Create Workflow File Create `.github/workflows/scanoss.yml` in your repository: ```yaml theme={null} name: SCANOSS Code Scan on: push: branches: - "main" pull_request: branches: - "*" permissions: contents: write pull-requests: write checks: write actions: read jobs: scanoss-analysis: name: SCANOSS Analysis runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 - name: Run SCANOSS scan id: scanoss-code-scan-step uses: scanoss/gha-code-scan@v1 with: policies: undeclared api.key: ${{ secrets.SCANOSS_API_KEY }} ``` ### Commit and Push ```bash theme={null} git add .github/workflows/scanoss.yml git commit -m "Add SCANOSS snippet detection" git push ``` The workflow will automatically run on the next push or pull request. ## Understanding Results ### GitHub Actions Summary After the scan completes, view results directly in the Actions tab: 1. Navigate to **Actions** in your repository 2. Select the latest workflow run 3. Review the **Annotations** section to see detected snippets and matches SCANOSS Job Summary 4. Click **View detailed comments on commit** to examine individual file matches with detailed comparison SCANOSS Snippet Comments ### Resolving Undeclared Components When undeclared components are detected, SCANOSS provides an easy resolution path: 1. Navigate to the failed **Policy Check: Undeclared** to see which components need declaration 2. If `scanoss.json` doesn't exist in your repository, click **Create scanoss.json file** to generate it automatically 3. Review the pre-populated component list and click **Commit Changes** SCANOSS Policy Check 4. The new commit automatically triggers a rescan, which will pass the undeclared policy check. SCANOSS Policy Pass The `scanoss.json` file serves as your project's component declaration, ensuring your team has visibility into all open source code used in your repository. Keep this file updated as you add or remove dependencies to maintain accurate compliance tracking.