chore: update blackduck scan configuration

Refinitiv · Nov 21, 2023 · f8e9179 · f8e9179
1 parent 788e08b
commit f8e9179
Showing 1 changed file with 35 additions and 3 deletions.
diff --git a/.github/workflows/blackduck_scan.yml b/.github/workflows/blackduck_scan.yml
@@ -1,15 +1,44 @@
 name: Black Duck Scan
 
 on:
+  workflow_call:
+    inputs:
+      production:
+        description: Production
+        type: boolean
+      version:
+        description: 'For non-production scan only: base branch version'
+        type: string
+      log-level:
+        description: 'Log level of scanning. Use DEBUG or TRACE for troubleshooting.'
+        type: string
+        default: INFO
   workflow_dispatch:
     inputs:
       production:
         description: Production
         type: boolean
-        default: true
+      version:
+        description: 'For non-production scan only: base branch version'
+        type: choice
+        options:
+          - v6
+          - v7
+      log-level:
+        description: 'Log level of scanning. Use DEBUG or TRACE for troubleshooting.'
+        type: choice
+        options:
+          - 'OFF'
+          - ERROR
+          - WARN
+          - INFO
+          - DEBUG
+          - TRACE
+        default: INFO
 
 jobs:
-  scan-code:
+  scan-blackduck:
+    name: 'Blackduck'
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
@@ -28,7 +57,7 @@ jobs:
           mv $DETECT_FILE appsec/
 
           if [[ "${{ inputs.production }}" == "true" ]]; then  export RELEASE_TYPE="PROD"; export VERSION_ID="Release_${GITHUB_REF#refs/heads/}"; fi
-          if [[ "${{ inputs.production }}" == "false" ]]; then export RELEASE_TYPE="DEV"; export VERSION_ID="Development-SINGLE"; fi
+          if [[ "${{ inputs.production }}" == "false" ]]; then export RELEASE_TYPE="DEV"; export VERSION_ID="Development-${{ inputs.version }}"; fi
           if [[ -z "${{ vars.BLACKDUCK_APP_ID }}" ]]; then  echo "[BLACKDUCK] APP_ID must be set";  exit 1; fi
           if [[ -z "${{ vars.BLACKDUCK_PROJECT_ID }}" ]]; then echo "[BLACKDUCK] PROJECT_ID must be set"; exit 1; fi
           if [[ -z "${{ secrets.BLACKDUCK_APP_TOKEN }}" ]]; then echo "[BLACKDUCK] BLACKDUCK_APP_TOKEN must be set"; exit 1; fi
@@ -44,5 +73,8 @@ jobs:
           --blackduck.api.token="${{ secrets.BLACKDUCK_APP_TOKEN }}" \
           --blackduck.url="${{ vars.BLACKDUCK_URL }}" \
           --blackduck.trust.cert=true \
+          --logging.level.detect=${{ inputs.log-level }} \
+          --detect.policy.check.fail.on.severities=BLOCKER,CRITICAL,MAJOR,MINOR \
           --detect.excluded.directories=appsec \
+          --detect.npm.dependency.types.excluded="DEV" \
           --detect.lerna.path="./node_modules/.bin/lerna" # make sure blackduck use lerna from npm package rather than shell one