-
Notifications
You must be signed in to change notification settings - Fork 21
69 lines (65 loc) · 3.01 KB
/
blackduck_scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Black Duck Scan
on:
workflow_dispatch:
inputs:
production:
description: Production
type: boolean
default: true
version:
description: 'For non-production scan only: base branch version'
type: choice
options:
- v6
- v7
default: v6
log-level:
description: 'Log level of scanning. Use DEBUG or TRACE for troubleshooting.'
type: choice
options:
- 'OFF'
- ERROR
- WARN
- INFO
- DEBUG
- TRACE
default: INFO
jobs:
scan-code:
name: Scan v6
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
with:
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Pulls all commits (needed for Lerna)
fetch-depth: 0
- name: Install Dependencies
run: npm ci --audit=false --fund=false
- name: Scanning
run: |
DETECT_FILE="synopsys.jar"
curl https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-detect/${{ vars.SYNOPSYS_DETECT_VERSION }}/synopsys-detect-${{ vars.SYNOPSYS_DETECT_VERSION }}.jar -o $DETECT_FILE
mkdir appsec || true
mv $DETECT_FILE appsec/
if [[ "${{ inputs.production }}" == "true" ]]; then export RELEASE_TYPE="PROD"; export VERSION_ID="Release_${GITHUB_REF#refs/heads/}"; fi
if [[ "${{ inputs.production }}" == "false" ]]; then export RELEASE_TYPE="DEV"; export VERSION_ID="Development-${{ inputs.version }}"; fi
if [[ -z "${{ vars.BLACKDUCK_APP_ID }}" ]]; then echo "[BLACKDUCK] APP_ID must be set"; exit 1; fi
if [[ -z "${{ vars.BLACKDUCK_PROJECT_ID }}" ]]; then echo "[BLACKDUCK] PROJECT_ID must be set"; exit 1; fi
if [[ -z "${{ secrets.BLACKDUCK_APP_TOKEN }}" ]]; then echo "[BLACKDUCK] BLACKDUCK_APP_TOKEN must be set"; exit 1; fi
java -jar appsec/$DETECT_FILE \
--detect.project.application.id="${{ vars.BLACKDUCK_APP_ID }}" \
--detect.project.name="${{ vars.BLACKDUCK_APP_ID }}-${{ vars.BLACKDUCK_PROJECT_ID }}-${RELEASE_TYPE}" \
--detect.project.user.groups="${{ vars.BLACKDUCK_APP_ID }}-AppSec-Dev" \
--detect.project.version.name="${VERSION_ID}" \
--detect.code.location.name="${{ vars.BLACKDUCK_APP_ID }}-${{ vars.BLACKDUCK_PROJECT_ID }}-${VERSION_ID}" \
--detect.source.path="." \
--detect.clone.project.version.latest=true \
--blackduck.api.token="${{ secrets.BLACKDUCK_APP_TOKEN }}" \
--blackduck.url="${{ vars.BLACKDUCK_URL }}" \
--blackduck.trust.cert=true \
--logging.level.detect=${{ inputs.log-level }} \
--detect.excluded.directories=appsec \
--detect.npm.dependency.types.excluded="DEV" \
--detect.lerna.path="./node_modules/.bin/lerna" # make sure blackduck use lerna from npm package rather than shell one