-
Notifications
You must be signed in to change notification settings - Fork 55
69 lines (69 loc) · 2.67 KB
/
bd+coverity+srm.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# example workflow for standalone Black Duck, Coverity and SRM using GitHub Actions
# - Black Duck and Coverity full scans on push to specified branches with import into SRM
# - Black Duck Rapid and Coverity Comparison scans on pull requests with PR comments enabled
# https://github.com/marketplace/actions/black-duck-security-scan
# https://github.com/marketplace/actions/srm-analysis
name: bd+coverity+srm
on:
push:
branches: [ main, master, develop, stage, release ]
pull_request:
branches: [ main, master, develop, stage, release ]
workflow_dispatch:
jobs:
blackduck:
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v4
- name: Setup Java JDK
uses: actions/setup-java@v4
with:
java-version: 17
distribution: microsoft
cache: maven
- name: Maven Build
run: mvn -B -DskipTests package
- name: Black Duck SCA Scan
uses: blackduck-inc/[email protected]
env:
DETECT_PROJECT_NAME: ${{ github.event.repository.name }}
with:
blackducksca_url: ${{ vars.BLACKDUCK_URL }}
blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
# blackducksca_scan_failure_severities: 'BLOCKER'
blackducksca_fixpr_enabled: true
blackducksca_prComment_enabled: true
blackducksca_reports_sarif_create: true
blackducksca_upload_sarif_report: true
github_token: ${{ secrets.GITHUB_TOKEN }}
# include_diagnostics: true
- name: Coverity SAST Scan
uses: blackduck-inc/[email protected]
with:
coverity_url: ${{ vars.COVERITY_URL }}
coverity_user: ${{ secrets.COV_USER }}
coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
# coverity_policy_view: ${{ github.event_name != 'pull_request' && 'Outstanding Issues' || '' }}
coverity_prComment_enabled: true
github_token: ${{ secrets.GITHUB_TOKEN }}
# include_diagnostics: true
- name: SRM Import
if: ${{ github.event_name != 'pull_request' }}
uses: codedx/[email protected]
with:
server-url: ${{ vars.SRM_URL }}/codedx
api-key: ${{ secrets.SRM_APIKEY }}
auto-create-project: true
project-name: ${{ github.event.repository.name }}
base-branch-name: ${{ github.event.repository.default_branch }}
target-branch-name: ${{ github.ref_name }}
source-and-binaries-glob: './**'
wait-for-completion: true
# - name: Save Logs
# if: always()
# uses: actions/upload-artifact@v4
# with:
# name: bridge-logs
# path: ${{ github.workspace }}/.bridge
# include-hidden-files: true