top of page

SCANOSS GitHub Actions with Dependency Track Integration

  • Writer: Frankie
    Frankie
  • Sep 17
  • 1 min read
GitHub logo with text "Dependency Track Now in GitHub Actions" on a light background with circuit-like patterns.

Our GitHub Actions integration for SCANOSS has been extended to support Dependency Track policy checks. That means when you scan your project with SCANOSS in GitHub Actions, you can now automatically:


  • Convert scan results into CycloneDX SBOMs.

  • Upload scan results as artifacts for inspection or downstream jobs.

  • Apply Dependency Track policies directly in your workflow.


How It Works


When you trigger SCANOSS from GitHub Actions, the workflow: 


  1. Scans your repository for open-source components.

  2. Generates a CycloneDX SBOM.

  3. Uploads the SBOM to Dependency Track.

  4. Runs Dependency Track policy checks as part of the same GitHub Actions job.

  5. Makes results available as artifacts for later use.


The same capabilities are also fully supported from the SCANOSS Python CLI, so you can run the exact same workflow locally or in other pipelines.


For exporting results into Dependency Track format:

scanoss-py export dt

For running policy checks directly with Dependency Track:

scanoss-py ins dt

Why it Matters


This is about avoiding bad commits:


  • You know immediately if you’ve introduced a vulnerable or non-compliant component.

  • Policy checks run right inside GitHub Actions, with no extra steps or manual uploads.

  • The feedback loop happens where you already work, keeping pipelines fast and clean.


Get Started

Check out the updated repo and documentation: https://github.com/scanoss/gha-code-scan

Adopt SCANOSS today

Get complete visibility and control over your open source.

bottom of page